Latest
Vulnerabilities

Critical Veeam Backup and Replication Bug Lets Any Domain User Run Code

Critical Veeam Backup and Replication Bug Lets Any Domain User Run Code

Veeam issued security updates for the Backup & Replication critical security weakness that enables an attacker to execute arbitrary remote code (RCE) on a domain-joined server running Veeam Backup & Replication.

  • The vulnerability (reported by Sina Kheirkhah, a WatchTowr security researcher, and tracked as CVE-2026-44963) exists in all prior version 12 releases of Veeam Backup & Replication (VBR), specifically the 12.3.2.4465 release, and was resolved in version 12.3.2.4854.
  • A domain user with low privileges can take advantage of this vulnerability, however, it is limited to only Veeam Backup & Replication installations that are members of a domain.
  • "The ability to remotely execute code (RCE) on the Backup Server from an authenticated domain user", stated Veeam in a Tuesday advisory.

Unfortunately, most organizations who run Veeam servers ignore the long-standing recommendations provided by Veeam and join their Veeam servers to a Windows domain.

Although there have been no reports of this vulnerability being actively exploited, Veeam indicated that adversaries typically develop exploits immediately upon the public disclosure of a vulnerability along with its corresponding patch.

"In fact, after vulnerabilities and patches are publicly disclosed, attackers will typically try to reverse engineer the patch to create an exploit for unpatched deployments of Veeam software. Therefore, ensuring that all customers utilize the latest version of our software and apply all available updates and patches as quickly as possible is absolutely critical."

Targeted frequently in ransomware attacks

In ransomware attacks, ransomware gangs have previously targeted Veeam backup servers to obtain sensitive information, move throughout the breached network, and prevent the victim from restoring their systems by deleting the victim's backups.

In recent years, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) identified four Veeam Backup & Replication vulnerabilities that were under attack in various cyberattacks. All of these attacks involved ransomware gangs using the vulnerabilities.

One example occurred when Sophos X-Ops reported that multiple ransomware gangs, including Akira, Fog, and Frag, developed exploits against a critical RCE flaw (CVE-2024-40711) in VBR.

FIN7, a financially motivated threat actor that commonly worked with the Maze, Egregor, Conti, REvil, and BlackBasta ransomware gangs, and the Cuba ransomware gang have also been implicated in attacks exploiting VBR vulnerabilities.

Over 550,000 companies globally, including 82% of Fortune 500 companies and 74% of Global 2000 firms, rely on Veeam products.

More in Vulnerabilities & Patches

FFmpeg PixelSmash Flaw Turns Malicious Video Files Into Remote Code Execution
Vulnerabilities

FFmpeg PixelSmash Flaw Turns Malicious Video Files Into Remote Code Execution

Jul 11, 2026 4 min read
AI Cyberattacks: Two Years of Insane Vulnerabilities
Vulnerabilities

AI Cyberattacks: Two Years of Insane Vulnerabilities

Jun 30, 2026 8 min read
Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days
Vulnerabilities

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

Jun 10, 2026 3 min read
Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
Vulnerabilities

Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation

Jun 4, 2026 6 min read