Critical Veeam RCE Flaw Lets Low-Privilege Users Take Over Backup Servers

Veeam addressed a critical RCE vulnerability flaw in Backup & Replication that lets low-privileged domain users take control of backup servers.

Veeam has patched a critical remote code execution vulnerability, tracked as CVE-2026-44963 (CVSS v4 Score of 9.4), affecting Backup & Replication version 12.x. The flaw could allow a low-privileged domain user to execute code on backup servers connected to an Active Directory domain, potentially leading to full system compromise.

The issue was fixed in version 12.3.2.4854 and does not affect Veeam Backup & Replication 13.x, which uses a different architecture.

WatchTowr researcher Sina Kheirkhah [@SinSinology] reported the issue.

“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.” reads the advisory.

At this time, the vendor is not aware of any in-the-wild attacks exploiting this vulnerability. However, it warns that threat actors may begin exploiting it as soon as patches are released.

“It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software.” continues the advisory. “This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.”

Ransomware and extortion groups often target Veeam Backup & Replication because backup systems are a critical part of an organization’s recovery process. If attackers compromise them, they can delete or encrypt backups, steal sensitive data stored in backup archives, and extract credentials that help them move deeper into the network. This makes recovery much harder and increases pressure on victims to pay. Veeam servers are especially attractive because they usually have high privileges and broad access to virtual machines and storage systems. As a result, attackers prioritize backup infrastructure early in their attack chain to weaken defenses before deploying ransomware.

In June 2025, Veeam rolled out security patches to address another critical security vulnerability, tracked CVE-2025-23121 (CVSS score of 9.9) in its Backup & Replication solution that can allow remote attackers to execute arbitrary code under certain conditions.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)