Low-Privilege Users Can Attack Backups in Veeam RCE

Veeam Backup & Replication servers joined to a Windows domain are exposed to a newly patched critical RCE flaw that a low-privileged authenticated domain user can exploit against affected installations.

The vulnerability, tracked as CVE-2026-44963, affects Veeam Backup & Replication 12.3.2.4465 and all earlier version 12 builds, and was fixed in version 12.3.2.4854, according to BleepingComputer. The bug was reported by WatchTowr security researcher Sina Kheirkhah.

Domain-joined Veeam servers carry the sharpest risk

Veeam says the flaw can let an authenticated domain user execute code remotely on the backup server. That is the dangerous part. Backup servers often sit close to the systems companies most need during a breach.

“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user,” Veeam said in its advisory.

The exposure is not universal across every deployment. The source material says the flaw only affects Veeam Backup & Replication installations that are joined to a domain. It also does not affect version 13.x builds because of architectural changes introduced in version 13.

So the first question for administrators is blunt: is the VBR server joined to a Windows domain, and is it running an affected version 12 build?

Veeam has long advised against configurations that increase backup server exposure, but BleepingComputer reports that many companies have still joined their Veeam servers to a Windows domain. That matters because the exploit condition is not “internet-exposed attacker with no access.” It is an authenticated domain user with low privileges.

That still leaves real risk. In a compromised Windows environment, low-privilege domain access is often not the end of an intrusion. It is the starting point.

Affected and fixed versions:

Veeam also warned that patch disclosure can start a race. Once attackers can compare vulnerable and fixed code, exploit development becomes more practical. That same dynamic has driven urgent patch cycles across other software categories, as XOOMAR has covered in Fifth Chrome Zero-Day Forces an Urgent Google Patch and Chrome Zero-Day Forces Google Into a 74-Bug Patch Race.

Ransomware crews already know why Veeam matters

There are no reports of active exploitation of CVE-2026-44963, according to the supplied source material. That is the good news. The bad news is the target class.

BleepingComputer reports that ransomware gangs have previously said they target Veeam backup servers because those systems can help them steal sensitive data, move through breached networks, and block restoration by deleting backups.

That makes this patch different from a routine enterprise software update. If an attacker can execute code on a backup server, the blast radius can reach beyond one machine. The backup environment can become a control point over recovery itself.

Four Veeam Backup & Replication vulnerabilities have been flagged by CISA in recent years as actively exploited in attacks, and BleepingComputer says all were abused by ransomware gangs. One example is CVE-2024-40711, a critical VBR RCE flaw that Sophos X-Ops reported in November 2024 had been weaponized by several ransomware operations, including Akira, Fog, and Frag.

Other groups have also been linked to attacks targeting VBR flaws. The source names FIN7, which often collaborated with Maze, Egregor, Conti, REvil, and BlackBasta, as well as the Cuba ransomware gang.

The scale raises the stakes. Veeam products are used by more than 550,000 customers worldwide, including 82% of Fortune 500 companies and 74% of Global 2,000 firms.

The practical question is not whether every exposed Veeam server will be attacked. It is whether defenders can patch faster than attackers can reverse-engineer the update and find reachable, domain-joined deployments.

Security teams should patch version 12 and challenge domain access

Administrators running affected Veeam Backup & Replication 12 builds should move to 12.3.2.4854 as a priority. Teams already on 13.x are outside the scope of this specific flaw, based on Veeam’s statement cited by BleepingComputer.

A useful first pass is narrow and fast:

• Version check: Confirm whether any VBR server is running 12.3.2.4465 or an earlier version 12 build.
• Domain status: Identify which backup servers are joined to a Windows domain.
• Access review: Check which domain users and groups can authenticate to systems that host or manage backup infrastructure.
• Patch coverage: Verify that all production and non-production VBR servers are updated, not just the primary system administrators remember first.

What should security teams review first after patching?

Start with the condition that makes this bug exploitable: authenticated domain access to a domain-joined backup server. XOOMAR analysis: because the flaw requires a domain user and affects domain-joined deployments, the most relevant immediate checks are authentication paths into backup servers, privileged access around VBR, and whether backup infrastructure is segmented from broader domain activity. The source does not report active exploitation, so defenders should avoid assuming compromise without evidence.

Veeam’s own warning is the near-term watch item. Patch releases can become exploit roadmaps for attackers hunting unpatched systems.

If public exploit code appears, or if ransomware crews begin using CVE-2026-44963 in intrusions, domain-joined VBR 12 servers that missed the update will move from “urgent patch” to “likely target.” For now, the cleanest move is simple: update Veeam, reduce domain exposure where possible, and treat backup servers as ransomware targets before attackers do.

Impact Analysis

• Backup servers are high-value targets because they are critical to recovery during ransomware and breach response.
• The flaw can be exploited by a low-privileged authenticated domain user, making it dangerous after initial network compromise.
• Organizations running domain-joined Veeam 12.x servers should verify exposure and apply the fixed version quickly.