Veeam has patched a critical remote code execution vulnerability in Backup & Replication v12 that requires only a standard domain user account to exploit — a threat model that directly mirrors the low-privilege access ransomware affiliates routinely acquire through credential phishing before moving laterally toward backup infrastructure. The vulnerability, CVE-2026-44963, carries a CVSSv4 score of 9.4 and was disclosed on June 9, 2026, alongside the release of a fixed build.
What Is Vulnerable and Why It Matters
Veeam Backup & Replication is the dominant enterprise backup solution across large organisations in financial services, healthcare, manufacturing, and public sector. Its combination of market penetration and operational criticality — backup servers hold compressed, catalogued copies of the entire organisation’s data — has made it a consistent priority target for ransomware operators. Groups including LockBit, BlackCat/ALPHV, and Akira have each incorporated exploits of prior Veeam vulnerabilities (CVE-2023-27532, CVE-2024-40711) into their attack chains, using backup server access either to exfiltrate data cleanly before encryption or to delete backup repositories and maximise recovery impact.
CVE-2026-44963, discovered by watchTowr researcher Sina Kheirkhah, allows any authenticated domain user — without administrator privileges — to execute arbitrary code on the Veeam Backup Server. The condition is that the Veeam server must be domain-joined, which is the default and recommended deployment configuration in enterprise environments. The attack requires no elevated rights beyond a valid domain account, which is typically the starting position of an attacker who has compromised a single employee workstation via phishing.
Veeam v13.x is not affected due to architectural changes introduced in that release. All v12.x builds prior to 12.3.2.4854 are vulnerable.
Exploitation Context
No in-the-wild exploitation of CVE-2026-44963 has been confirmed as of June 10, 2026. This is expected — the vulnerability was disclosed alongside the patch, reducing the window for zero-day exploitation. However, the window between Veeam patch release and ransomware weaponisation has shrunk measurably with each previous Veeam vulnerability. CVE-2024-40711 was incorporated into active Akira ransomware campaigns within weeks of disclosure in September 2024.
The attack path that concerns defenders here is not a novel one: initial access through phishing or credential stuffing → domain account obtained → lateral movement to domain-joined Veeam server → CVE-2026-44963 to achieve SYSTEM → backup catalogue destruction or exfiltration prior to network-wide encryption. Each link in that chain is well-established in current ransomware playbooks.
The “domain user” bar is the critical dimension. In an enterprise environment, every employee with a PC has a domain account. Veeam servers are typically reachable from workstations on the corporate network. Organisations that rely on network segmentation to protect backup infrastructure — without having patched — should treat that control as unreliable given the frequency with which attackers pivot through endpoint compromises.
Recommended Actions
Patch immediately. Update to Veeam Backup & Replication 12.3.2.4854 or migrate to v13.x. Veeam backup servers should be treated with the same urgency as domain controllers when critical RCE patches are available.
Isolate Veeam servers at the network layer. Domain-joined backup servers should not be reachable directly from workstation subnets. Access should be limited to the management VLAN and from backup proxy/repository hosts only. Review firewall rules and VLAN segmentation before exploitation begins.
Review Veeam service account permissions. If the Veeam service account has broad domain privileges, restrict them to the minimum required. Service accounts with Domain Admin membership are an unnecessary escalation from this baseline.
Enable immutable backup repositories. Hardened or immutable backup targets (object storage with WORM policies, Veeam hardened Linux repositories) that cannot be deleted even from the Veeam server itself are the last-resort control that survives a backup server compromise.
Monitor for lateral movement to backup infrastructure. EDR and SIEM alerting on unusual authentication to Veeam servers — particularly from non-administrator accounts or workstation hostnames — will surface exploitation attempts before they complete.