New Veeam vulnerability exposes backup servers to RCE attacks

Veeam has released security updates to patch a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers.

The vulnerability (tracked as CVE-2026-44963 and reported by WatchTowr security researcher Sina Kheirkhah) affects Veeam Backup & Replication (VBR) 12.3.2.4465 and all earlier version 12 builds, and was fixed in version 12.3.2.4854.

While any domain user with low privileges can exploit this vulnerability, the flaw only impacts Veeam Backup & Replication installations that are joined to a domain.

"A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," Veeam said in a Tuesday advisory. "This vulnerability does not affect any version 13.x build of Veeam Backup & Replication due to architectural changes starting in version 13."

However, unfortunately, many companies have joined their Veeam servers to a Windows domain, ignoring Veeam's long-standing best practices.

While there are no reports of active exploitation, Veeam warned that attackers will often begin developing exploits as soon as patches are released.

"It's important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software," the company added. "This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay."

Often targeted in ransomware attacks

Ransomware gangs have told BleepingComputer in the past that they always target Veeam backup servers because this allows them to steal sensitive data, move within breached networks, and block restoration efforts by deleting victims' backups.

In recent years, the Cybersecurity and Infrastructure Security Agency (CISA) has flagged four Veeam Backup & Replication flaws as actively exploited in attacks, all of which have been abused by ransomware gangs.

For instance, in November 2024, Sophos X-Ops reported that several ransomware operations, including the Akira, Fog, and Frag gangs, had weaponized another critical VBR RCE flaw (CVE-2024-40711).

The financially motivated FIN7 threat group (which often collaborated with the Maze, Egregor, Conti, REvil, and BlackBasta ransomware groups) and the Cuba ransomware gang have also both been linked to attacks targeting VBR security flaws.

Veeam's products are used by over 550,000 customers worldwide, including 82% of Fortune 500 companies and 74% of Global 2,000 firms.