Veeam has patched a critical vulnerability that would let any authenticated domain user execute arbitrary code as root on backup servers running its widely deployed Backup & Replication software. The flaw — CVE-2026-44963 — affects Veeam Backup & Replication 12.3.2.4465 and all earlier version 12 builds. It was fixed in version 12.3.2.4854.
Here’s what makes this one sting: the bar for exploitation is low. You don’t need admin rights. Any domain user with basic privileges can trigger the vulnerability by uploading a crafted file to the affected system. From there, it’s root access on the backup server.
Why Backup Servers Are the Ultimate Target
If you’re a ransomware operator, backup servers are the crown jewels. Compromise a Veeam server and you can steal sensitive data, move laterally through the network, and — most critically — delete or encrypt the victim’s backups so they can’t recover without paying.
Ransomware gangs have told BleepingComputer outright that they always target Veeam servers. It’s not hypothetical. In November 2024, the Akira, Fog, and Frag ransomware operations all weaponized another critical Veeam RCE flaw (CVE-2024-40711) within weeks of its disclosure. The FIN7 threat group — which has collaborated with Maze, Egregor, Conti, REvil, and BlackBasta — has also been linked to attacks targeting VBR vulnerabilities. So has the Cuba ransomware gang.
CISA has flagged four Veeam Backup & Replication flaws as actively exploited in its Known Exploited Vulnerabilities catalog. CVE-2026-44963 is almost certainly headed for that list if it isn’t already.
The Domain-Joined Problem
There’s an important caveat: the vulnerability only affects Veeam installations that are joined to a Windows domain. Veeam has long recommended running Backup & Replication servers in a workgroup, not a domain. But many organizations ignore that guidance because domain-joined setups are easier to manage at scale.
That convenience is now a liability. In a domain-joined environment, any compromised low-privilege account — think a regular employee whose credentials were phished — becomes a potential attack vector for full server compromise.
Version 13.x isn’t affected due to architectural changes, but many organizations are still running version 12. Veeam has over 550,000 customers worldwide, including 82% of Fortune 500 companies and 74% of Global 2,000 firms. A significant chunk of those are likely still on version 12.
No Patch? No Workaround.
Veeam has released the fix and there are no workarounds available. That means patching is the only option. The company has also published indicators of compromise, suggesting they take the risk of active exploitation seriously.
Veeam’s warning is blunt: “Once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments.” That’s not FUD — it’s the reality of how ransomware operations work. They have dedicated teams whose entire job is turning patch notes into exploits.
What You Should Do Right Now
If you’re running Veeam Backup & Replication version 12, update to 12.3.2.4854 immediately. If you can’t patch right now, audit your domain accounts and look for any unusual file uploads or privilege escalation on your Veeam servers. Check the IoCs Veeam published.
Longer term: consider whether your Veeam servers need to be domain-joined at all. Veeam’s own best practices say they shouldn’t be. The operational convenience of domain join isn’t worth a root-level RCE.
What’s Next
There are no reports of active exploitation yet, but that window is closing. Given the history of Veeam flaws being weaponized quickly — and the enormous attack surface of 550,000+ customers — expect scanning and exploitation attempts to ramp up within days of this disclosure. If you haven’t patched, the clock is ticking.
