The vulnerability CVE-2026-44963 in Veeam Backup & Replication allows remote code execution on domain-joined backup servers by any authenticated domain user with low privileges. It affects all 12.x versions up to 12.3.2.4465 and was fixed in 12.3.2.4854. Version 13.x is not affected due to architectural changes. The flaw enables attackers to potentially execute arbitrary code on backup servers, which are often integrated into Windows domains. Veeam emphasizes the importance of patching promptly to prevent exploitation, noting that attackers typically reverse-engineer patches to develop exploits. Historically, Veeam backup servers have been targeted by ransomware groups to steal data and disrupt recovery efforts.

Successful exploitation allows an authenticated domain user with low privileges to execute arbitrary code remotely on the backup server, potentially compromising backup integrity and enabling further network compromise. This elevates risk for data theft, ransomware attacks, and disruption of backup and recovery operations. The vulnerability affects domain-joined Veeam Backup & Replication servers running versions up to 12.3.2.4465. No active exploitation has been reported yet, but the critical nature and historical targeting of Veeam servers by ransomware groups underscore the severity.

A security update fixing this vulnerability is available in Veeam Backup & Replication version 12.3.2.4854. Users should upgrade to this version or later immediately. Version 13.x and later are not affected due to architectural changes. Veeam strongly recommends applying the patch without delay to prevent exploitation. There are no indications that the vulnerability is mitigated by default or that no action is required.