Critical Veeam Backup RCE Flaw (CVE-2026-44963) Lets Domain Users Execute Code

Veeam has shipped an emergency patch for a critical remote code execution vulnerability in its widely deployed Backup & Replication platform. Tracked as CVE-2026-44963, the flaw carries a CVSS score of 9.4 out of 10 and allows any authenticated domain user to execute arbitrary code on the Backup Server, making it a serious risk in enterprise environments where the service is exposed to broad internal user bases.

The vulnerability, credited to watchTowr researcher Sina Kheirkhah, impacts Veeam Backup & Replication 12.3.2.4465 and all earlier 12.x builds. Notably, Veeam confirmed that version 13.x builds are not affected thanks to architectural changes introduced in the newer release line. Administrators running version 12 should immediately upgrade to 12.3.2.4854, the patched build released this week, and verify that backup infrastructure is not unnecessarily exposed to authenticated but unprivileged users. A quick privacy checkup across exposed services can help identify whether management interfaces are reachable from broader network segments than intended.

This is not the first time Veeam Backup & Replication has been in the crosshairs. In March 2026, the vendor resolved multiple critical RCE flaws in the same product, and prior vulnerabilities have been actively weaponized by ransomware affiliates targeting backup infrastructure precisely because compromised backups eliminate the victim's last line of recovery. Defenders should treat any unpatched Veeam appliance as a top-priority asset, audit domain user permissions against the Backup Server, and monitor for anomalous process execution originating from backup service accounts. Network teams can validate exposure by running a port scanner against known Veeam infrastructure to confirm management ports are not internet-facing, and review domain logs for compromised credentials that could grant the low-privileged access this exploit requires.