Veeam Releases Critical Security Update for Backup & Replication Vulnerability

Veeam has recently issued security patches to address a critical security flaw in Backup & Replication software. This flaw could potentially be exploited to achieve remote code execution (RCE) on backup servers that are part of a domain.

The vulnerability, identified as CVE-2026-44963 and disclosed by WatchTowr security researcher Sina Kheirkhah, impacts Veeam Backup & Replication (VBR) versions 12.3.2.4465 and all earlier versions of build 12. The issue was resolved in version 12.3.2.4854.

While the vulnerability can be exploited by any domain user with low privileges, it specifically affects Veeam Backup & Replication installations that are connected to a domain.

“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user,” stated Veeam in an advisory. “This vulnerability does not affect any version 13.x build of Veeam Backup & Replication due to architectural changes starting in version 13.”

However, many companies have chosen to join their Veeam servers to a Windows domain, disregarding Veeam’s established best practices.

Although there have been no reported instances of active exploitation, Veeam cautioned that attackers often begin developing exploits soon after patches are released.

“It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software,” the company added. “This underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches promptly.”

Increased Risk of Ransomware Attacks

Ransomware groups have previously stated that they frequently target Veeam backup servers as it enables them to access sensitive data, navigate through breached networks, and impede restoration efforts by deleting victims’ backups.

In recent years, the Cybersecurity and Infrastructure Security Agency (CISA) has identified four Veeam Backup & Replication vulnerabilities that have been actively exploited in attacks, with ransomware groups taking advantage of these flaws.

For example, in November 2024, Sophos X-Ops reported that another critical VBR RCE flaw (CVE-2024-40711) was exploited by various ransomware operations, including Akira, Fog, and Frag ransomware groups.

The financially motivated FIN7 threat group, known for collaborating with ransomware groups like Maze, Egregor, Conti, REvil, and BlackBasta, as well as the Cuba ransomware gang, have both been linked to attacks leveraging VBR security vulnerabilities.

Veeam’s solutions are utilized by more than 550,000 customers globally, including 82% of Fortune 500 companies and 74% of Global 2,000 firms.