Veeam has released security updates to address a critical Remote Code Execution (RCE) vulnerability that could allow a low-privileged domain user to execute arbitrary code on vulnerable backup servers.
Tracked as CVE-2026-44963, the flaw affects Veeam Backup & Replication (VBR) version 12.3.2.4465 and all earlier 12.x releases. The issue has been fixed in version 12.3.2.4854, while Veeam’s newer 13.x branch is not affected due to architectural changes introduced in the latest release.
Although no active exploitation has been reported at the time of writing, security researchers and defenders are paying close attention. Backup infrastructure has long been a favourite target for ransomware groups, and newly disclosed Veeam vulnerabilities have historically been weaponised shortly after patches become available.
For organisations running domain-joined Veeam servers, this vulnerability should be treated as a high-priority remediation event.
What is CVE-2026-44963?
CVE-2026-44963 is a critical vulnerability that allows an authenticated user within an Active Directory environment to execute code on a Veeam Backup & Replication server.
The key detail is that exploitation does not require administrative privileges. Instead, a standard domain account with relatively limited permissions may be sufficient to trigger the flaw.
According to Veeam, the vulnerability only affects deployments where the backup server is joined to an Active Directory domain. Organisations running standalone Veeam servers or those already operating Veeam Backup & Replication 13.x are not impacted.
While the technical details remain limited, the low privilege requirement significantly reduces the barrier to exploitation following an initial compromise elsewhere in the environment.
Why Backup Servers Matter to Attackers
Backup systems are often one of the first assets threat actors target once they gain access to a network.
From an attacker’s perspective, compromising backup infrastructure can provide several advantages. It may allow them to disable recovery mechanisms, identify critical systems, access sensitive data, or establish persistence within the environment. In ransomware incidents, backup servers are particularly valuable because they often determine whether an organisation can recover without paying a ransom.
This is why Veeam infrastructure has repeatedly appeared in ransomware investigations over recent years. Threat groups understand that organisations become far more vulnerable once their recovery options are removed.
As a result, vulnerabilities affecting backup platforms frequently attract significant attention from both financially motivated criminals and more sophisticated threat actors.
A Familiar Pattern for Ransomware Groups
This is not the first time Veeam Backup & Replication has appeared on the radar of threat actors.
Over the past several years, multiple ransomware groups have been observed exploiting vulnerabilities affecting Veeam infrastructure, including:
Akira
Conti
REvil
Black Basta
Maze
Cuba
Egregor
Most recently, several ransomware operators were linked to the exploitation of CVE-2024-40711, another critical Veeam RCE vulnerability that quickly became a popular post-compromise attack vector.
The history of Veeam exploitation means organisations should not assume the absence of active attacks today will remain the case for long. Once patches are released, threat actors often begin reverse-engineering fixes to understand exactly what has changed and how vulnerable systems can be targeted.
Why This Matters
The most concerning aspect of this vulnerability is not necessarily the exploit itself, but where it sits within the attack lifecycle.
In many incidents, attackers already possess a foothold through phishing, stolen credentials, malware, or compromised user accounts. A vulnerability such as CVE-2026-44963 provides a potential pathway from that initial access point to one of the most strategically important systems in the environment.
Because exploitation requires only a low-privileged domain account, organisations should view this as a post-compromise risk multiplier. An attacker who gains access to a standard user account may be able to leverage the flaw to compromise backup infrastructure and increase the impact of a wider attack.
The fact that Veeam is used by more than 550,000 organisations globally, including a large percentage of Fortune 500 and Global 2000 companies, only increases its attractiveness as a target.
Detection & Monitoring Recommendations
While patching remains the most effective mitigation, security teams should also increase monitoring around backup infrastructure.
Particular attention should be given to unusual authentication activity involving Veeam servers, especially logins originating from accounts that would not normally interact with backup systems. Security teams should also investigate unexpected PowerShell execution, new process creation originating from Veeam services, or suspicious administrative actions involving backup repositories.
Other behaviours worth reviewing include:
Changes to retention policies
Backup deletion attempts
New privileged account creation
Lateral movement originating from backup servers
Unexpected configuration changes
Because backup infrastructure often sits quietly in the background, abnormal activity can easily go unnoticed without dedicated monitoring and alerting.
Recommended Actions
The immediate priority should be identifying all affected Veeam Backup & Replication 12.x deployments and upgrading them to version 12.3.2.4854 or later.
Organisations should also review which Veeam servers remain joined to Active Directory domains and assess whether this configuration is operationally necessary. Veeam has long recommended separating backup infrastructure from the primary domain where possible, yet many organisations continue to maintain domain-joined deployments.
Beyond patching, organisations should review access controls around backup environments, restrict administrative access to authorised personnel, and ensure enhanced logging is enabled across backup infrastructure.
Finally, backup resilience should be validated regularly. Offline, immutable, and regularly tested backups remain one of the most effective safeguards against both ransomware and infrastructure compromise.
Analyst Assessment
CVE-2026-44963 represents a significant risk for organisations operating domain-joined Veeam Backup & Replication 12.x environments.
Although exploitation requires authentication, the low privilege threshold means attackers may be able to leverage existing footholds to compromise backup infrastructure with relatively little effort. Given the long history of ransomware groups targeting Veeam systems, it is reasonable to expect exploit development efforts to begin quickly following the release of security updates.
Security teams should therefore prioritise remediation while simultaneously increasing visibility around authentication activity, administrative actions, and configuration changes affecting backup infrastructure.
As with many modern attacks, the greatest risk may not come from the vulnerability itself, but from how it enables attackers to move from an initial compromise to a far more damaging outcome.
How NormCyber MDR Helps Protect Critical Backup Infrastructure
Backup platforms are among the most important systems to monitor during a cyber attack because they are often targeted before ransomware deployment or data extortion activities begin. NormCyber’s Managed Detection and Response (MDR) service provides continuous monitoring across identities, endpoints, servers, and infrastructure to help detect suspicious activity involving backup environments before attackers can achieve their objectives.
Our SOC analysts investigate unusual authentication attempts, privilege escalation activity, suspicious PowerShell execution, lateral movement behaviour, and unauthorised administrative actions affecting critical systems such as Veeam servers. By correlating signals across the wider environment, NormCyber MDR helps organisations identify potential attacks at an earlier stage and respond before backup infrastructure becomes compromised.
As threat actors increasingly focus on recovery platforms to maximise disruption, proactive monitoring and rapid incident response play a critical role in maintaining organisational resilience and ensuring recovery options remain available when they are needed most.
