Full Report
Veeam has released security updates to patch a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers. [...]
Analysis Summary
# Vulnerability: Remote Code Execution in Veeam Backup & Replication
## CVE Details
- **CVE ID:** CVE-2026-44963
- **CVSS Score:** 9.8 (Critical - Estimated based on vendor description)
- **CWE:** Not specified (Likely related to Improper Access Control or Deserialization)
## Affected Systems
- **Products:** Veeam Backup & Replication (VBR)
- **Versions:** Version 12.3.2.4465 and all earlier version 12 builds.
- **Configurations:** Impacts Veeam Backup & Replication installations that are **joined to a domain**.
- *Note: Version 13.x is not affected due to architectural changes.*
## Vulnerability Description
This technical flaw allows for Remote Code Execution (RCE) on the Backup Server. The vulnerability is accessible to an authenticated domain user with low privileges. Because Veeam Backup & Replication servers often hold high-level administrative credentials for the entire virtual infrastructure, RCE on this component allows attackers to compromise the backup repository, delete backups to prevent recovery, or pivot into the production environment.
## Exploitation
- **Status:** PoC availability expected (WatchTowr research); currently no reports of active exploitation in the wild.
- **Complexity:** Low (Exploitable by low-privileged domain users).
- **Attack Vector:** Network (Authenticated).
## Impact
- **Confidentiality:** High (Full access to backup data and system credentials).
- **Integrity:** High (Ability to modify or delete backups and system configurations).
- **Availability:** High (Ability to delete backups, facilitating ransomware extortion).
## Remediation
### Patches
- **Veeam Backup & Replication 12.3.2.4854:** This update contains the fix for CVE-2026-44963.
- **Upgrade to Version 13.x:** Veeam recommends upgrading to the latest major version as it is inherently unaffected by this flaw.
### Workarounds
- **Disjoin from Domain:** Move the Veeam Backup Server from the Windows Domain to a Workgroup (Veeam’s long-standing security best practice).
- **Network Segmentation:** Restrict access to the VBR server management ports to only authorized administrative workstations.
## Detection
- **Indicators of Compromise:** Monitor for unusual service account activity or unexpected PowerShell/CMD executions originating from the Veeam service processes.
- **Detection methods and tools:**
- Review Windows Event Logs for authentication events from low-privileged domain users targeting the VBR server.
- Monitor for unauthorized file system changes in the Veeam installation directories.
## References
- **Vendor Advisory:** hxxps[://]www[.]veeam[.]com/kb4869
- **Patch Download:** hxxps[://]www[.]veeam[.]com/kb4696
- **Veeam Security Best Practices:** hxxps[://]bp[.]veeam[.]com/security/Design-and-implementation/Hardening/Workgroup_or_Domain[.]html#best-practice
- **BleepingComputer Report:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/new-veeam-vulnerability-exposes-backup-servers-to-rce-attacks/