Veeam Patches CVSS 9.4 RCE in Backup & Replication
Key insights
- CVE-2026-44963 (CVSS 9.4) lets any authenticated domain user achieve RCE on unpatched Veeam Backup & Replication v12 servers.
- Researcher Sina Kheirkhah of watchTowr responsibly disclosed the flaw; Veeam released the fix in version 12.3.2.4854 on June 9, 2026.
- Version 13.x is unaffected due to architectural changes, while all v12 builds through 12.3.2.4465 remain exposed without the patch.
Why this matters
Backup infrastructure is a primary ransomware target because disabling recovery capability maximizes attacker leverage, and CVE-2026-44963 places RCE on backup servers within reach of any authenticated domain user, a standard privilege level in most enterprise Windows environments. The CVSS 9.4 severity combined with this low privilege bar continues a pattern Veeam has faced repeatedly: the company patched multiple critical vulnerabilities in March 2026, and prior critical flaws have been actively exploited by ransomware groups. Organizations still running v12.3.2.4465 or earlier are now in a race against the same threat actors who have previously moved rapidly after Veeam patch disclosures.
Summary
Veeam patched CVE-2026-44963, a CVSS 9.4 flaw letting any authenticated domain user execute code remotely on backup servers.
Sina Kheirkhah of watchTowr responsibly disclosed the bug. All v12 builds through 12.3.2.4465 are affected; the fix shipped as version 12.3.2.4854 on June 9, 2026. Version 13.x is safe due to architectural changes.
Essentially: (Veeam, watchTowr) a critical RCE in enterprise backup software is patched but undeployed across most of the exposed v12 install base.
- Any domain user, not just admins, can exploit this on unpatched servers.
- Prior Veeam flaws were actively exploited by ransomware groups; Veeam also patched multiple critical vulnerabilities in March 2026.
- v13.x is unaffected due to architectural changes, leaving the v12 install base as the active risk surface.
Backup servers are ransomware's top target, which makes a low-privilege RCE here especially dangerous.
Potential risks and opportunities
Risks
- Ransomware groups that weaponized prior Veeam vulnerabilities rapidly after patch release could target CVE-2026-44963 on unpatched v12.3.2.4465 deployments, disabling backup servers before deploying ransomware payloads.
- Organizations in regulated industries with mandatory change control cycles may remain exposed for weeks beyond the June 9 fix, extending the window for threat actors to exploit the low-privilege RCE vector.
- Enterprises still on v12 face compounding patch debt: CVE-2026-44963 adds to the March 2026 critical patches in an ecosystem where prior Veeam vulnerabilities have been actively exploited by ransomware groups.
Opportunities
- Veeam resellers and managed service providers have a concrete security justification to accelerate v12-to-v13.x migrations, since the architectural changes in v13.x eliminate CVE-2026-44963 exposure entirely.
- watchTowr's responsible disclosure of CVE-2026-44963 strengthens the firm's standing with enterprise security buyers evaluating vulnerability research partners focused on backup and recovery infrastructure.
- Enterprise patch management vendors can use the March 2026 and June 9, 2026 Veeam critical patch cycles as a two-incident case study to open budget conversations with customers running critical backup infrastructure on delayed upgrade schedules.
What we don't know yet
- Whether ransomware operators have already developed working exploits for CVE-2026-44963 in the days since the June 9, 2026 patch release is not addressed in public reporting.
- The specific technical mechanism enabling RCE is not detailed in the advisory, leaving exploitation complexity unassessable from public sources.
- Veeam has not disclosed how many enterprise customers remain on unpatched v12 builds, leaving the total exposed install base unknown.
Originally reported by thehackernews.com
Read the original article →Original headline: Veeam Backup & Replication CVE-2026-44963 (CVSS 9.4): Authenticated Domain User Achieves RCE on Backup Servers