top of page

Veeam Backup & Replication RCE Vulnerability Allows Domain Users to Execute Remote Code on Servers

  • Jun 10
  • 2 min read

Key Findings


  • Critical remote code execution vulnerability (CVE-2026-44963, CVSS 9.4) in Veeam Backup & Replication allows authenticated domain users to execute arbitrary code on backup servers

  • Affects all Veeam Backup & Replication version 12.x builds up to 12.3.2.4465

  • Patched in version 12.3.2.4854; version 13.x unaffected due to architectural changes

  • Discovered by watchTowr researcher Sina Kheirkhah

  • No known in-the-wild exploitation at this time, but attacks likely to follow patch disclosure


Background


Veeam Backup & Replication is a critical infrastructure tool used by organizations worldwide to protect their data through backup and recovery solutions. The software is particularly attractive to attackers because it typically operates with high privileges and maintains broad access to virtual machines and storage systems. This elevated access makes compromising a Veeam server exceptionally valuable for threat actors seeking to establish persistence or cause maximum damage during an attack.


Vulnerability Details


The flaw allows any authenticated domain user with low privileges to achieve remote code execution on the Backup Server. This is a significant risk because domain accounts are often easier for attackers to obtain or compromise than administrative credentials. Once an attacker gains code execution, they can fully compromise the backup infrastructure and access sensitive data stored within backup archives.


Affected Versions and Patches


Only version 12.x of Veeam Backup & Replication is vulnerable. All builds through version 12.3.2.4465 are impacted. Version 13.x remains unaffected because Veeam implemented architectural changes that prevent this particular attack vector. Organizations running version 12 must upgrade to 12.3.2.4854 or later immediately.


Why Backup Systems Are Prime Targets


Ransomware and extortion groups specifically prioritize backup infrastructure because disabling it severely impacts an organization's ability to recover from attacks. By compromising a Veeam server, attackers can delete or encrypt backups, steal sensitive data from backup archives, and extract credentials that enable lateral movement through the network. This combination of impacts dramatically increases the pressure on victims to pay ransoms and makes recovery efforts substantially more difficult.


Vendor Warnings


Veeam explicitly warns that threat actors will likely attempt to reverse-engineer patches once they're disclosed to exploit unpatched systems. The vendor emphasizes the critical importance of updating all software without delay and maintaining current patch levels across all deployments. This guidance reflects the reality that publicly disclosed vulnerabilities become immediate targets for automated exploitation tools and skilled attackers alike.


Historical Context


This is not the first critical vulnerability discovered in Veeam products. In June 2025, the company patched CVE-2025-23121 with a CVSS score of 9.9, and multiple critical flaws were addressed in March 2026. The recurring nature of these high-severity issues underscores that Veeam infrastructure requires continuous security monitoring and rapid patching protocols.


Sources


  • https://thehackernews.com/2026/06/veeam-backup-replication-rce-flaw-lets.html

  • https://securityaffairs.com/193385/uncategorized/critical-veeam-rce-flaw-lets-low-privilege-users-take-over-backup-servers.html

  • https://x.com/TheHackersNews/status/2064391579616542867

  • https://www.socdefenders.ai/item/1feae985-75a4-4125-9bd8-ff065bd65d9a

  • https://www.facebook.com/thehackernews/photos/-a-single-domain-user-could-run-code-on-your-veeam-backup-serverveeam-has-patche/1390590569772189

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page