Veeam has disclosed a critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-44963, affecting Veeam Backup & Replication (VBR) Version 12 deployments that are joined to a Microsoft Active Directory domain.

The vulnerability was reported by Sina Kheirkhah, a security researcher at WatchTower, and subsequently addressed by Veeam through a security update.

About the vulnerability

What can attackers do with the vulnerability?

An authenticated Active Directory user with low privileges can leverage the vulnerability to execute arbitrary code directly on the Veeam Backup Server. The attack requires access to a domain account but does not require administrative privileges on the Veeam infrastructure itself.

Attackers can exploit the vulnerability to:

• Cause complete compromise of the backup infrastructure
• Gain unauthorized access to backup repositories and recovery systems
• Delete or encrypt backups
• Disrupt incident recovery operations
• Laterally move into broader enterprise environments
• Deploy ransomware payloads across production environments
• Establish persistence mechanisms within backup management systems
• Cause significant disruption to business operation from loss of recovery capabilities

SharkStriker recommendations

To protect critical backup infrastructure and reduce the risk of ransomware-driven attacks, SharkStriker recommends implementing the following measures:

• Upgrade Immediately: Upgrade all affected Veeam Backup & Replication Version 12 deployments to Version 12.3.2.4854 or later.
• Prioritize Backup Infrastructure: Treat backup servers as Tier-1 critical assets and accelerate patch deployment timelines accordingly.
• Review Domain Membership: Evaluate whether backup servers require Active Directory domain membership and follow Veeam’s recommended hardening practices wherever operationally feasible.
• Restrict User Access: Implement strict least-privilege access controls and limit user interaction with backup infrastructure.
• Enable Continuous Monitoring: Ensure EDR/XDR controls are actively monitoring backup servers for suspicious process execution, privilege escalation attempts, and unauthorized administrative actions.
• Conduct Proactive Threat Hunting: Review authentication logs, backup administration events, service creation activity, and unusual access patterns involving backup systems.
• Harden Backup Security: Implement immutable backups, offline backup storage, network segmentation, and privileged access controls to strengthen resilience against ransomware attacks.
• Validate Recovery Readiness: Perform routine backup restoration testing to confirm the integrity and recoverability of critical business data.
• Monitor for Emerging Exploitation: Closely track threat intelligence feeds and vendor advisories for the release of proof-of-concept exploits or reports of active exploitation.