Meta Description

Veeam Backup RCE vulnerability CVE-2026-44963 lets domain users execute code on backup servers with CVSS 9.4. Ransomware gangs target Veeam.

Introduction

The Veeam Backup RCE vulnerability tracked as CVE-2026-44963 is one of the most dangerous disclosures of 2026 for enterprise security teams. Carrying a CVSS v4 score of 9.4, this critical remote code execution flaw in Veeam Backup and Replication allows any authenticated domain user to execute arbitrary code remotely on backup servers. No elevated privileges needed. Any domain account is enough.

Discovered by Sina Kheirkhah of WatchTowr and disclosed on June 10, 2026, this Veeam Backup RCE vulnerability directly threatens the last line of defense for most organizations against ransomware. Veeam is deployed by over 550,000 customers worldwide, including 82 percent of Fortune 500 companies and 74 percent of Global 2000 firms. Ransomware operators have historically prioritized Veeam vulnerabilities precisely because destroying backup infrastructure eliminates an organization's ability to recover without paying a ransom.

CVE-2026-44963 is not a standalone problem. It joins a cascade of critical Veeam vulnerabilities disclosed throughout 2026, including CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, and CVE-2026-21708, all carrying CVSS scores of 9.9. Ransomware groups including FIN7, Cuba, Akira, Fog, and Frag have previously weaponized Veeam RCE flaws within weeks of disclosure. The pattern is well established. This Veeam Backup RCE vulnerability will follow it.

Veeam has patched CVE-2026-44963 in version 12.3.2.4854. If your organization has not yet upgraded, your backup infrastructure is directly in the path of active threat actors right now. Here is everything your team needs to understand.

 

What Is the Veeam Backup RCE Vulnerability CVE-2026-44963

The Veeam Backup RCE vulnerability CVE-2026-44963 is a critical remote code execution flaw in Veeam Backup and Replication that allows any authenticated domain user to execute arbitrary code on the Backup Server remotely. The vulnerability affects all Veeam Backup and Replication version 12 builds up to and including version 12.3.2.4465.

The access requirement of any authenticated domain user is the defining characteristic that makes this flaw so dangerous. In most enterprise Active Directory environments, domain user accounts number in the hundreds or thousands. Help desk staff, junior operations analysts, backup monitoring accounts, and service accounts with minimal permissions all qualify as authenticated domain users. Any one of them, if compromised through phishing, credential stuffing, or lateral movement from another system, becomes an immediate path to full Backup Server code execution.

CVE-2026-44963 at a glance:

• CVE ID: CVE-2026-44963
• CVSS v4 Score: 9.4 (Critical)
• Affected Product: Veeam Backup and Replication version 12 builds
• Affected Versions: All builds up to and including 12.3.2.4465
• Fixed Version: 12.3.2.4854
• Not Affected: Version 13.x builds due to architectural changes
• Authentication Required: Yes, any authenticated domain user
• Privilege Level Required: Low, any domain account qualifies
• Attack Complexity: Low
• User Interaction Required: None
• Discovered By: Sina Kheirkhah, WatchTowr (@SinSinology)
• Patch Date: June 10, 2026
• Proof of Concept: Published on GitHub as of June 10, 2026

The critical concern is the combination of critical severity, low attack complexity, and the extremely wide pool of accounts that can trigger it. Proof-of-concept code was already published on GitHub at the time of disclosure, meaning any threat actor with basic technical capability can attempt exploitation immediately against unpatched deployments.

 

The Broader Veeam 2026 Vulnerability Cluster

CVE-2026-44963 does not exist in isolation. To fully understand the Veeam Backup RCE vulnerability landscape your organization faces, security teams must understand the full cluster of critical Veeam flaws disclosed in 2026.

The March 2026 advisory: four critical RCE flaws:

Veeam disclosed four critical and one high-severity vulnerability on March 12, 2026, all affecting Veeam Backup and Replication. Every single one enables remote code execution against backup infrastructure.

CVE-2026-21666 (CVSS 9.9, Critical): Allows any remote low-privileged authenticated domain user to execute arbitrary code on vulnerable Backup Servers in low-complexity attacks. Triggerable by any account granted any level of access to the Veeam Backup and Replication interface, including read-only monitoring accounts and help desk triage accounts.

CVE-2026-21667 (CVSS 9.9, Critical): Also allows any remote low-privileged authenticated domain user to achieve remote code execution on Backup Servers. Low-complexity attack. Same wide access threshold as CVE-2026-21666, meaning any interface account can trigger it.

CVE-2026-21669 (CVSS 9.9, Critical): Enables any remote low-privileged authenticated domain user to perform RCE specifically on Windows-based Backup Servers. Third distinct RCE path with identical access requirements to the first two.

CVE-2026-21708 (CVSS 9.9, Critical): Allows a remote user holding only the Backup Viewer role to perform RCE as the PostgreSQL database user. The Backup Viewer role is routinely granted to junior operations staff, backup job monitoring accounts, and service accounts across enterprise environments. This vulnerability provides code execution directly against the Veeam configuration database backend.

CVE-2026-21668 (CVSS 8.8, High): Allows a remote low-privileged authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. While classified as High rather than Critical, arbitrary file manipulation on backup repositories carries significant data destruction capability.

The coherent attack chain these vulnerabilities enable:

Security researchers at Cloud Security Alliance Labs documented the combined exploitation path. An attacker with Backup Viewer credentials uses CVE-2026-21708 to achieve RCE as the PostgreSQL user. From that position they extract the entire Veeam configuration database. That database contains stored credentials for all managed backup agents, protected machines, and cloud repositories. With those credentials the attacker accesses all backup files directly, deletes recovery points, and moves laterally to every managed system before deploying ransomware. The entire chain from Backup Viewer credentials to full infrastructure compromise flows through vulnerabilities that carry the same low-privilege access threshold.

 

Technical Analysis: Inside the Veeam Backup RCE Vulnerability

Understanding exactly how the Veeam Backup RCE vulnerability works enables defenders to build targeted detection and response capabilities.

Root Cause of CVE-2026-44963

Veeam has not published the full technical root cause details for CVE-2026-44963 at time of disclosure. Sina Kheirkhah of WatchTowr, who discovered and responsibly reported the vulnerability, identified it during security research into the Veeam Backup and Replication platform. The flaw enables any authenticated domain user to reach a code execution path on the Backup Server that should require significantly higher privileges to access.

The access threshold being set at any authenticated domain user rather than a backup administrator or system account indicates an authorization boundary failure rather than a purely technical memory corruption flaw. An authenticated user who should have no ability to interact with backup server internals can reach and trigger the vulnerable execution path.

Why the Domain User Access Threshold Is the Critical Risk Factor

In a typical enterprise Active Directory environment, every one of the following account categories qualifies as an authenticated domain user capable of triggering CVE-2026-44963:

• Help desk and service desk staff accounts
• Junior IT operations and monitoring accounts
• Backup job status monitoring service accounts
• Any read-only Veeam interface account
• Any account obtained through phishing a low-privilege employee
• Any account recovered through credential stuffing against Active Directory
• Any account obtained through lateral movement from any compromised workstation

The attack surface is therefore not the small set of backup administrators who should have privileged access to Veeam. It is every domain account in the organization plus every account an attacker can obtain through any initial access vector.

The PostgreSQL Backend Exploitation Path (CVE-2026-21708)

CVE-2026-21708 provides a particularly clear picture of how these vulnerabilities chain together in practice. The Veeam Backup Server uses a PostgreSQL database backend to store its entire configuration state. This includes all backup job definitions, all stored credentials for managed agents and protected machines, all cloud repository credentials, and all scheduled task configurations.

An attacker holding only the Backup Viewer role uses CVE-2026-21708 to achieve code execution as the PostgreSQL process user. From that execution context they can query the entire Veeam configuration database directly. The extracted credentials cover every system Veeam manages, which in a large enterprise means hundreds of servers, virtual machines, and cloud workloads. Those credentials enable lateral movement to every managed system without requiring any additional exploitation.

Historical Ransomware Exploitation Pattern

The Veeam Backup RCE vulnerability pattern in 2026 follows a well-documented historical trajectory that security teams must account for in their risk assessment.

Prior Veeam exploitation confirmed by named threat actors:

• FIN7, linked to Conti, REvil, Maze, Egregor, and BlackBasta ransomware groups, has confirmed historical exploitation of Veeam Backup and Replication vulnerabilities
• Cuba ransomware gang has confirmed historical exploitation of VBR flaws
• In November 2024, Sophos X-Ops confirmed Frag ransomware exploited the CVE-2024-40711 Veeam RCE flaw, with Akira and Fog ransomware also using the same vulnerability
• CISA has flagged four separate Veeam Backup and Replication flaws as actively exploited in attacks in recent years
• CVE-2025-23121, a CVSS 9.9 Veeam RCE from June 2025, followed the same exploitation pattern

The average time between Veeam vulnerability disclosure and ransomware exploitation has historically been measured in days to weeks, not months. Given the public availability of proof-of-concept code for CVE-2026-44963 on the day of disclosure, security teams should treat active exploitation attempts as a near-term certainty.

MITRE ATT&CK Technique Mapping

The confirmed Veeam Backup RCE vulnerability exploitation path maps to the following ATT&CK techniques:

• T1190 Exploit Public-Facing Application for RCE via the Veeam management interface
• T1078.002 Valid Accounts: Domain Accounts for initial domain user access enabling exploitation
• T1003 OS Credential Dumping for extraction of stored credentials from the Veeam configuration database
• T1021 Remote Services for lateral movement using credentials extracted from Veeam's PostgreSQL backend
• T1490 Inhibit System Recovery for deletion or encryption of backup recovery points
• T1486 Data Encrypted for Impact for ransomware deployment across all systems reachable via extracted credentials

 

Why the Veeam Backup RCE Vulnerability Is a Critical Business Risk

The Veeam Backup RCE vulnerability carries a specific business impact that distinguishes it from most other enterprise vulnerabilities. Backup infrastructure is the safety net every organization relies on to recover from ransomware without paying. Compromising it eliminates that safety net before the ransom demand arrives.

The ransomware pre-positioning strategy:

Ransomware operators learned years ago that organizations with intact backups are significantly less likely to pay ransoms. Their operational response was to target backup infrastructure first in the attack chain, destroy or encrypt recovery points, and then deploy the ransomware payload. CVE-2026-44963 and the broader 2026 Veeam vulnerability cluster provide exactly this capability to any attacker who obtains a single low-privilege domain credential.

Enterprise impact:

• Any organization with Veeam managing backup for hundreds or thousands of systems faces potential credential extraction for all managed machines through the PostgreSQL database exploitation path
• Backup deletion or encryption before ransomware deployment leaves the organization with no recovery option independent of paying the attacker
• Domain-joined Veeam Backup Servers are directly reachable from any domain-authenticated endpoint, meaning any compromised workstation is one lateral movement step from backup infrastructure compromise

SMB and mid-market impact:

• Smaller organizations with fewer security resources face disproportionate exposure because their Veeam instances are more likely to be domain-joined and to have broad domain user access configured
• Managed service providers running Veeam for multiple clients create a scenario where a single Veeam instance compromise exposes all managed client backups simultaneously
• Limited incident response resources mean SMB organizations are less likely to detect exploitation before ransomware deployment

Cloud and hybrid backup risks:

• Cloud repository credentials stored in the Veeam configuration database include AWS S3, Azure Blob, and Google Cloud Storage access keys
• Credential extraction via CVE-2026-21708 provides direct access to cloud backup repositories for deletion or exfiltration
• Organizations using Veeam Cloud Connect face additional exposure if their service provider's Veeam infrastructure is compromised

Regulatory and financial exposure:

• Organizations that suffer backup destruction and ransomware deployment through this vulnerability face the full combined cost of ransom demand, incident response, system rebuilding, and regulatory breach notification
• Any personal data stored in backup repositories creates data breach reporting obligations under GDPR, HIPAA, and PCI-DSS if unauthorized access is confirmed through the PostgreSQL credential extraction path
• The combination of backup destruction and data theft through the same credential extraction path creates simultaneous operational recovery and regulatory breach obligations

 

Five Real-World Attack Scenarios

Scenario 1: Ransomware Pre-Positioning via Low-Privilege Domain Account

A ransomware affiliate gains access to a low-privilege help desk domain account through a phishing campaign. The account has basic Veeam Backup and Replication interface access for checking backup job status. The attacker uses CVE-2026-44963 to execute code on the Backup Server from this account. They extract the Veeam configuration database and recover credentials for 400 managed servers. They spend five days mapping the environment before deleting all recovery points and deploying ransomware simultaneously across all managed systems. The organization has no backup recovery option.

Scenario 2: PostgreSQL Credential Harvest Enables Full Domain Compromise

An attacker compromises a Backup Viewer service account through credential stuffing against an exposed Active Directory authentication endpoint. They use CVE-2026-21708 to achieve RCE as the PostgreSQL user on the Veeam Backup Server. Extracting the configuration database yields domain admin credentials stored for a Veeam agent deployed on a domain controller. The attacker uses those credentials to authenticate as a domain administrator, achieving full Active Directory compromise from a Backup Viewer service account through a single Veeam vulnerability.

Scenario 3: MSP Veeam Compromise Cascades to All Managed Clients

A managed service provider runs a single Veeam Backup and Replication instance managing backups for 30 SMB clients. An attacker obtains a low-privilege domain account through phishing an MSP junior technician. They exploit CVE-2026-44963 to achieve RCE on the MSP's Veeam Backup Server. The configuration database contains credentials for every managed client's systems. The attacker deploys ransomware across all 30 client environments simultaneously using those extracted credentials. All 30 organizations lose both production systems and their backup infrastructure in the same attack.

Scenario 4: Cloud Backup Repository Destruction

An attacker exploits the CVE-2026-21708 PostgreSQL RCE path to extract cloud repository credentials from a Veeam configuration database. The credentials include AWS S3 access keys with full read and delete permissions on cloud backup buckets. The attacker permanently deletes all cloud backup data across six months of retention before deploying ransomware. The organization discovers that both on-premises and cloud backup repositories have been destroyed. No recovery option exists without rebuilding from scratch.

Scenario 5: Chained CVE Attack Achieves Rapid Backup Destruction

An attacker combines CVE-2026-21666 and CVE-2026-21708 in a chained attack. They use CVE-2026-21666 to achieve initial code execution on the Backup Server. From that execution context they pivot to the PostgreSQL backend using CVE-2026-21708, extracting the full configuration database. They use CVE-2026-21668 to manipulate files on backup repositories, overwriting backup files with corrupted data rather than deleting them to delay discovery. The organization does not discover the backup corruption until they attempt recovery following ransomware deployment six days later.

 

How to Detect the Veeam Backup RCE Vulnerability Being Exploited

Detecting exploitation of the Veeam Backup RCE vulnerability requires specific monitoring of Veeam infrastructure, database activity, and backup server process behavior that most organizations have not fully deployed. Here is your complete detection framework.

Logging You Must Enable Now

• Enable comprehensive Windows Event Log collection on all Veeam Backup Server instances, specifically process creation (Event ID 4688) and service installation events
• Enable Veeam application-level logging at maximum verbosity during any active investigation period
• Capture all authentication events to the Veeam Backup and Replication interface including both successful and failed login attempts with source IP addresses
• Enable PostgreSQL database query logging on all Veeam backend database instances to capture unusual query patterns or bulk data extraction attempts
• Forward all Veeam Backup Server logs to your SIEM platform in real time
• Enable Windows PowerShell Script Block Logging on Veeam Backup Servers to capture any post-exploitation script execution

Process and Host Monitoring

• Alert on the Veeam Backup Service spawning unexpected child processes including cmd.exe, powershell.exe, wscript.exe, or any reverse shell indicator
• Monitor for unexpected file creation events from Veeam service account contexts in directories outside standard Veeam installation paths
• Flag unexpected outbound network connections from Veeam Backup Server hosts to external IP addresses not associated with managed backup destinations
• Alert on PostgreSQL process spawning unexpected child processes or executing system commands outside normal database operations
• Detect new scheduled task creation on Veeam Backup Servers that were not created through approved administrative processes
• Monitor for large database query operations against the Veeam configuration database that extract credentials or configuration data in bulk

SIEM Correlation Rules

• Alert on Veeam interface authentication from unexpected source IP addresses followed by unusual API or management activity within a 10-minute window
• Correlate bulk backup job deletion or modification events with preceding authentication from non-administrative accounts
• Flag Veeam Backup Server outbound connections to cloud storage destinations following any unusual authentication event
• Alert on mass recovery point deletion events on any backup repository managed by a potentially compromised Veeam instance
• Build detection logic for PostgreSQL connections from non-Veeam service account contexts on Veeam Backup Server hosts
• Correlate lateral movement from Veeam Backup Server IP addresses to managed endpoint IP addresses outside of normal backup job windows

Threat Hunting for the Veeam Backup RCE Vulnerability

Run these proactive hunts across your Veeam infrastructure immediately:

• Query process execution logs for any child processes spawned by Veeam services since the March 2026 advisory and the June 10, 2026 CVE-2026-44963 disclosure
• Review all Veeam authentication logs for successful interface logins from accounts that are not designated backup administrators
• Audit all backup recovery points for unexpected deletion events across your entire Veeam-managed infrastructure
• Hunt for PostgreSQL query logs showing bulk credential table reads that would indicate configuration database extraction
• Review all network connections from Veeam Backup Server hosts to external destinations for unauthorized data transfers
• Check all Veeam-managed systems for new scheduled tasks or services created outside approved change management processes

Identity and Access Monitoring

• Audit all accounts with any level of Veeam Backup and Replication interface access and confirm each has a legitimate operational requirement
• Review all Backup Viewer role assignments and remove any accounts that do not have an explicit operational justification for that access level
• Monitor for authentication attempts using credentials matching those stored in the Veeam configuration database from unexpected source locations
• Enable alerting on domain account authentications to backup-adjacent systems outside normal working hours or from unexpected source IP addresses

 

Mitigation Recommendations for the Veeam Backup RCE Vulnerability

These are the concrete and immediate actions your infrastructure and security teams must execute to address the Veeam Backup RCE vulnerability.

Patch Immediately to Version 12.3.2.4854

This is the single highest-priority action. Veeam released the fix in version 12.3.2.4854. There are no workarounds.

• Upgrade all Veeam Backup and Replication version 12 builds to 12.3.2.4854 immediately without waiting for a regular maintenance window
• Note that version 13.x builds are not affected due to architectural changes. Organizations already on version 13.x should confirm their specific build version and apply any available updates
• Verify upgrade completion across every Veeam Backup Server in your environment including disaster recovery and remote office instances
• Include any MSP-managed Veeam environments in the patching scope confirmation
• Apply the March 2026 patches for CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, CVE-2026-21708, and CVE-2026-21668 if not already completed

Evaluate Domain Join Configuration

Veeam's own security best practice guidance recommends evaluating whether Backup Servers should remain domain-joined. This is a critical architectural consideration given that domain user authentication is the only prerequisite for exploiting the Veeam Backup RCE vulnerability.

• Evaluate migrating Veeam Backup Servers to a workgroup configuration that is not domain-joined, eliminating the domain user authentication path entirely
• If domain join is operationally required, implement Active Directory tiering to place Veeam Backup Servers in Tier 0 infrastructure that is inaccessible from standard workstation and server tiers
• Block all direct workstation-to-Veeam-Backup-Server connections at the network layer, allowing only connections from designated administrative jump hosts

Restrict and Audit Veeam Interface Access

• Conduct an immediate audit of all accounts with any Veeam Backup and Replication interface access
• Remove all accounts that do not have an explicit documented operational requirement for Veeam access
• Specifically audit and minimize Backup Viewer role assignments given the CVSS 9.9 CVE-2026-21708 exploitation path available to that role
• Enforce least-privilege principles ensuring backup monitoring accounts have only the minimum necessary permissions
• Remove all shared service account credentials used by multiple services for Veeam access and replace with individual least-privilege accounts

Implement Network Segmentation for Backup Infrastructure

• Place all Veeam Backup Servers on a dedicated network segment accessible only from designated backup management hosts and backup agents
• Block all direct connections from general user workstations and production servers to Veeam management ports
• Implement firewall rules allowing only approved source IP addresses to reach Veeam Backup Server management interfaces on ports 9392 and 9401
• Monitor all network connections to Veeam infrastructure segments and alert on connections from unauthorized source addresses

Protect the Backup Repository Chain

• Audit all backup repository configurations for unexpected access permission changes or file modification events
• Implement immutable backup repository configurations using Veeam's hardened Linux repository or object storage immutability features to prevent backup deletion or modification even if the Backup Server is compromised
• Store offline or air-gapped backup copies completely inaccessible from any domain-joined system or Veeam-managed network segment
• Test backup integrity and recovery procedures immediately to confirm clean baselines exist before any potential compromise

Enforce Multi-Factor Authentication and Zero Trust Controls

• Enforce MFA on all administrative access to Veeam Backup and Replication management interfaces
• Implement privileged access management for all Veeam administrative operations requiring session recording and just-in-time access provisioning
• Apply Zero Trust network access principles to backup infrastructure, requiring explicit authentication and device compliance for every management session
• Disable all legacy authentication methods to Veeam interfaces that could bypass MFA enforcement

Why the Veeam Backup RCE Vulnerability Pattern Demands Strategic Action

The Veeam Backup RCE vulnerability CVE-2026-44963 and the broader 2026 cluster carry lessons that extend beyond a single patch event. They confirm a strategic targeting pattern that every security and infrastructure leader needs to address at an architectural level.

Backup infrastructure is the primary ransomware target. Ransomware operators have systematically identified that backup infrastructure is the organizational asset most worth compromising before deploying their payload. An organization without recoverable backups cannot independently recover from ransomware. Every Veeam vulnerability that carries ransomware exploitation history confirms that this calculus drives active threat actor investment in backup-targeted research and exploitation.

The low-privilege exploitation pattern is deliberate and widening. The access requirement for the entire 2026 Veeam vulnerability cluster is consistent. Any authenticated domain user. Backup Viewer role. Low-privilege interface account. This is not a coincidence of vulnerability discovery. It reflects attackers specifically targeting the widest possible pool of accessible accounts for backup infrastructure exploitation. Any initial access vector that yields a domain account provides a path to backup server RCE.

Proof-of-concept availability compresses the exploitation window to days. GitHub proof-of-concept code for CVE-2026-44963 was published on the same day as disclosure, June 10, 2026. Historical analysis of Veeam vulnerability exploitation timelines shows that ransomware operators typically begin active exploitation within days to two weeks of public PoC availability. Organizations that manage Veeam patching through standard monthly cycles will be compromised before their next patch window closes.

The 550,000-customer deployment footprint is the attacker's targeting list. Veeam's market dominance, 82 percent of Fortune 500 companies, 74 percent of Global 2000 firms, makes every new Veeam RCE vulnerability a high-return investment for threat actors. The larger the installed base, the more targets any single exploitation technique reaches.

Key Takeaway

The Veeam Backup RCE vulnerability CVE-2026-44963 allows any authenticated domain user to execute arbitrary code on Veeam Backup Servers with a CVSS v4 score of 9.4. Proof-of-concept code is publicly available as of June 10, 2026. Ransomware groups including FIN7, Cuba, Akira, Fog, and Frag have all previously exploited Veeam RCE flaws within weeks of disclosure. The March 2026 advisory added four additional CVSS 9.9 Veeam RCE vulnerabilities affecting the same platform, creating a coherent attack chain from Backup Viewer credentials to full infrastructure compromise and backup destruction. Every unpatched Veeam Backup and Replication version 12 deployment is an active ransomware pre-positioning target right now.

Summary of critical actions:

• Upgrade all Veeam Backup and Replication version 12 builds to 12.3.2.4854 immediately without waiting for scheduled maintenance
• Apply March 2026 patches for CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, CVE-2026-21708, and CVE-2026-21668 if not already completed
• Evaluate migrating Veeam Backup Servers to workgroup configuration to eliminate the domain user authentication attack path
• Audit and minimize all Veeam interface access, specifically Backup Viewer role assignments
• Implement immutable backup repository configurations to prevent backup deletion even after Backup Server compromise
• Confirm offline or air-gapped backup copies exist and are recoverable
• Implement network segmentation isolating Veeam infrastructure from general workstation and server tiers
• Hunt proactively for unusual Veeam authentication events, unexpected child processes from Veeam services, and bulk PostgreSQL query activity
• Treat any confirmed exploitation indicator as a critical incident requiring immediate incident response given the established ransomware exploitation history for this platform

The Veeam Backup RCE vulnerability confirms what ransomware operators already know. Backup infrastructure is not a passive recovery system. It is an active attack target. Organizations that treat Veeam patching as routine infrastructure maintenance rather than critical security response will discover that distinction only after their recovery options are gone.

Frequently Asked Questions About the Veeam Backup RCE Vulnerability

What is the Veeam Backup RCE vulnerability CVE-2026-44963?

The Veeam Backup RCE vulnerability CVE-2026-44963 is a critical remote code execution flaw in Veeam Backup and Replication that allows any authenticated domain user to execute arbitrary code on the Backup Server remotely. It carries a CVSS v4 score of 9.4 and affects all version 12 builds up to and including 12.3.2.4465. Version 13.x builds are not affected due to architectural changes. Discovered by Sina Kheirkhah of WatchTowr and disclosed on June 10, 2026, the flaw is notable for requiring only a standard domain user account, meaning any low-privilege credential obtained through phishing or lateral movement is sufficient to trigger backup server code execution.

Is the Veeam Backup RCE vulnerability CVE-2026-44963 being actively exploited?

Proof-of-concept exploit code for CVE-2026-44963 was published on GitHub on the day of disclosure, June 10, 2026. While active in-the-wild exploitation had not been publicly confirmed at time of publication, the established pattern of Veeam RCE exploitation by ransomware operators including FIN7, Cuba, Akira, Fog, and Frag means that active exploitation attempts should be treated as imminent. CISA has flagged four prior Veeam Backup and Replication flaws as actively exploited. Historical exploitation timelines show ransomware operators typically begin attacks within days to two weeks of public PoC availability.

How does the Veeam Backup RCE vulnerability allow domain users to execute code?

The Veeam Backup RCE vulnerability CVE-2026-44963 allows any authenticated domain user to reach a code execution path on the Backup Server that should require significantly higher administrative privileges. While Veeam has not published the full technical root cause, the access threshold of any domain user indicates an authorization boundary failure in the Veeam Backup Server that does not properly restrict access to privileged execution paths based on the authenticating user's actual permission level. The companion vulnerability CVE-2026-21708 provides a separately documented path where Backup Viewer role accounts achieve RCE against the PostgreSQL database backend through a similar insufficient authorization control.

Why is the Veeam Backup RCE vulnerability so dangerous for enterprise security?

The Veeam Backup RCE vulnerability is especially dangerous because it combines three critical risk factors simultaneously. First, the access threshold of any domain user means the exploitable account pool covers hundreds or thousands of accounts in any enterprise environment. Second, the target is backup infrastructure, the last line of defense against ransomware recovery. Third, companion vulnerabilities CVE-2026-21708 and others enable credential extraction from the Veeam configuration database, providing credentials for every managed system that can then be used to delete backups and deploy ransomware across the entire managed estate. The combination enables full enterprise ransomware deployment from a single low-privilege account.

Who is most at risk from the Veeam Backup RCE vulnerability CVE-2026-44963?

Any organization running Veeam Backup and Replication version 12 builds up to and including 12.3.2.4465 with Backup Servers that are domain-joined is directly affected. Given Veeam's market penetration of 82 percent of Fortune 500 companies and 74 percent of Global 2000 firms, the exposed population is enormous. Organizations with broad domain user access to Veeam interfaces, MSPs managing multiple client backups through a single Veeam instance, and organizations that have not patched the March 2026 CVE-2026-21666 through CVE-2026-21708 advisory are at the highest immediate risk.

How should organizations respond to the Veeam Backup RCE vulnerability?

Organizations must immediately upgrade Veeam Backup and Replication to version 12.3.2.4854 without waiting for scheduled maintenance windows. Before treating patching as the complete response, security teams should audit all Veeam interface access and remove all accounts without documented operational requirements, particularly Backup Viewer role assignments. Network segmentation blocking direct connections from workstations to Veeam management ports should be implemented immediately. Immutable backup repository configurations should be enabled to prevent backup deletion even after a potential Backup Server compromise. Threat hunting should be initiated for unusual Veeam authentication events and unexpected child processes from Veeam services. Any confirmed exploitation indicator requires immediate incident response engagement given the established ransomware exploitation history for Veeam vulnerabilities.