
A critical remote code execution flaw in Veeam Backup & Replication has been disclosed, letting authenticated domain users run arbitrary code on affected backup servers. The vulnerability, tracked as CVE-2026-44963 and rated 9.4 on the CVSS scale, impacts all releases prior to version 12.3.2. Administrators are urged to apply the update released in version 12.3.2.4854 to close the gap, as reported by SecurityOnline here.
CVE-2026-44963 resides in the backup server’s web interface where a lack of proper input validation allows a logged‑in domain user to craft a request that executes arbitrary commands with the privileges of the Veeam service. The flaw is present in versions 12.0.0 through 12.3.1 and was remedied in the cumulative update numbered 12.3.2.4854. According to the vendor advisory KB4869, the issue does not affect the newly released version 13.x line. Successful exploitation requires valid Active Directory credentials but does not need administrative rights on the backup server itself.
Although no public exploits or confirmed attacks have been observed in the wild, backup systems remain a high‑value target for ransomware operators who seek to destroy or encrypt recovery points. Veeam patched another critical flaw, CVE-2025-23121, in June 2025, and a separate vulnerability in Check Point VPN gateways, CVE-2026-50751, is currently being exploited in the wild. The confluence of these issues highlights why attackers often focus on poorly protected backup infrastructure.
The vendor notes that version 13 incorporates architectural changes that inherently prevent the vulnerable code path, meaning organisations already running that branch are not exposed. However, the public disclosure of CVE-2026-44963 increases the likelihood that threat actors will scan for unpatched 12.x hosts and attempt to leverage the flaw before administrators can apply the fix. Prompt patching remains the most effective mitigation.
Organisations should first verify the exact version of Veeam Backup & Replication in use and upgrade any instance older than 12.3.2 to the latest cumulative update. Next, review the groups granted access to the backup console and remove any unnecessary domain accounts, enforcing multi‑factor authentication for those that remain. Enable detailed logging of web‑interface connections and monitor for atypical command execution or process spawning linked to the Veeam service account.
Consider segregating the backup network from the production LAN, restricting management access to a dedicated jump host and applying firewall rules that allow only authorised administrative workstations. Maintain an offline, immutable copy of critical backups to ensure recoverability even if an attacker gains temporary control. Finally, test restore procedures regularly to confirm that backups remain usable and that any anomalous activity is detected early.