Veeam RCE: Because Attackers Love Backups Too
Veeam patched a critical remote code execution vulnerability in Backup & Replication, tracked as CVE-2026-44963 with a CVSS score of 9.4. The flaw allows an authenticated domain user to execute remote code on the backup server. It affects Veeam Backup & Replication 12.3.2.4465 and earlier version 12 builds, but not version 13 due to architectural changes. The fix is included in version 12.3.2.4854. Given ransomware groups’ history of targeting backup systems, rapid patching is strongly recommended.
Backups are meant to be your safety net. Unfortunately, they are also a favourite target for ransomware crews who know that deleting the safety net makes the fall much more expensive.
Veeam has patched a critical remote code execution vulnerability in Backup & Replication. The flaw, tracked as CVE-2026-44963, allows an authenticated domain user to run code remotely on the backup server.
That distinction matters. This is not unauthenticated internet chaos, but in a compromised internal network, a domain user account is often not hard to come by. Once attackers get access to backup infrastructure, the situation can escalate quickly.
Affected versions include Veeam Backup & Replication 12.3.2.4465 and earlier version 12 builds. Version 13 is not affected due to architectural changes. Veeam has fixed the issue in version 12.3.2.4854.
For defenders, this should be treated as a high-priority patch. Backup servers often contain sensitive credentials, access to production workloads and the ability to restore — or destroy — key systems.
Recommended actions include patching immediately, restricting access to backup servers, reviewing domain user permissions, and monitoring for suspicious authentication or remote execution attempts. Also validate backup immutability, because a backup that ransomware can alter is less “recovery plan” and more “expensive decoration”.