Critical RCE in Veeam Backup & Replication Exposes Domain-Joined Servers
Veeam has released fixes for a critical remote code execution flaw in Veeam Backup & Replication, tracked as CVE-2026-44963, affecting version 12.3.2.4465 and earlier 12.x builds on Windows domain-joined servers. The vulnerability was reported by WatchTowr researcher Sina Kheirkhah and allows any authenticated low-privileged domain user to execute arbitrary code on the backup server, giving attackers a path to compromise backup infrastructure in Active Directory environments. Veeam says version 13.x is not affected because of architectural changes, and the issue is resolved in Veeam Backup & Replication 12.3.2.4854.
The flaw has not been publicly reported as exploited, but Veeam warned that attackers often reverse-engineer patches quickly to target unpatched systems. The issue carries a CVSS v4 score of 9.4 and is especially serious because backup servers are frequent ransomware targets: compromising them can enable data theft, lateral movement, privilege escalation, and destruction of backups. Reporting on the disclosure also pointed to earlier Veeam-focused attacks, including abuse of CVE-2024-40711 by Akira, Fog, and Frag, underscoring the need for organizations to patch immediately, review domain-joined deployments, restrict unnecessary domain user access, and closely monitor backup infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Veeam releases fix for CVE-2026-44963 in version 12.3.2.4854
Veeam released security updates addressing CVE-2026-44963 in Veeam Backup & Replication 12.3.2.4854. The company said version 13.x is not affected because of architectural changes.
WatchTowr researcher reports Veeam Backup & Replication RCE flaw
Sina Kheirkhah of WatchTowr identified and reported a critical remote code execution vulnerability in Veeam Backup & Replication, tracked as CVE-2026-44963. The flaw affects domain-joined Veeam Backup & Replication version 12 deployments through 12.3.2.4465 and earlier 12.x builds.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Fix Veeam Backup Vulnerability & Remote Code Execution
securityonline.info
Open sourceWarning: CRITICAL REMOTE CODE EXECUTION IN VEEAM BACKUP & REPLICATION, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceVeeam releases security update for critical backup server vulnerability | brief | SC Media
scworld.com
Open sourceCritical Veeam RCE flaw Lets Low-Privilege Users Take Over Backup Servers
securityaffairs.com
Open sourceCritical Veeam Vulnerability Allows RCE Attacks on Backup Servers
cybersecuritynews.com
Open sourceVeeam Backup & Replication RCE Flaw Lets Domain Users Run Remote Code
thehackernews.com
Open sourceKB4869: Vulnerability Resolved in Veeam Backup & Replication 12.3.2.4854
veeam.com
Open sourceNew Veeam vulnerability exposes backup servers to RCE attacks
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Veeam Fixes Multiple Critical Backup & Replication RCE Vulnerabilities
**Veeam** released security updates for **Backup & Replication** to address multiple high-severity flaws, including several **remote code execution** issues affecting version `12.3.2.4165` and all earlier version 12 builds. The disclosed vulnerabilities include `CVE-2026-21666`, `CVE-2026-21667`, `CVE-2026-21668`, `CVE-2026-21672`, and `CVE-2026-21708`, with several carrying **CVSS 9.9** ratings. According to the advisories, successful exploitation could allow authenticated domain users to execute code on the backup server, manipulate arbitrary files on a backup repository, or achieve local privilege escalation on Windows-based servers. Veeam said the issues were fixed in **Backup & Replication** version `12.3.2.4465`, while `CVE-2026-21672` and `CVE-2026-21708` were also remediated in version `13.0.1.2067`, alongside additional critical flaws `CVE-2026-21669` and `CVE-2026-21671`. The company warned that public patch disclosure increases the likelihood of **patch reverse engineering** and follow-on attacks against unpatched systems, making rapid remediation a priority for organizations running exposed or domain-connected Veeam infrastructure.
Mar 20, 2026
Critical Remote Code Execution Vulnerabilities in Veeam Backup & Replication
Veeam released a security advisory disclosing multiple vulnerabilities in its Veeam Backup & Replication and Veeam Agent for Microsoft Windows products. Two of the vulnerabilities, CVE-2025-48983 and CVE-2025-48984, were rated as critical with a CVSS score of 9.9, indicating a severe risk to affected systems. Both critical vulnerabilities reside in the Veeam Backup & Replication product and allow an authenticated domain user to execute arbitrary code on backup infrastructure hosts and the backup server, respectively. These flaws specifically impact Veeam Backup & Replication version 12.3.2.3617 and all earlier version 12 builds, but only on domain-joined backup servers. A third vulnerability, CVE-2025-48982, affects Veeam Agent for Microsoft Windows and allows for local privilege escalation if a system administrator is tricked into restoring a malicious file. This vulnerability impacts version 6.3.2.1205 and all earlier version 6 builds of the agent. The vendor has indicated that unsupported product versions have not been tested but are likely vulnerable and should be considered at risk. The vulnerabilities were disclosed on October 14, 2025, and security advisories were published the following day to alert users and administrators. CERT-EU and other security organizations have strongly recommended that organizations update affected software immediately to mitigate the risk of exploitation. In addition to patching, following Veeam's implementation best practices is advised to further reduce exposure. The vulnerabilities require an authenticated domain user for exploitation, which means that attackers would need valid credentials or access to a compromised account within the target environment. The potential impact of successful exploitation includes full remote code execution on critical backup infrastructure, which could lead to data theft, ransomware deployment, or destruction of backup data. The disclosure has raised concerns in the security community due to the critical nature of backup systems in organizational resilience and recovery. Security advisories have emphasized the urgency of remediation, given the high CVSS scores and the potential for significant operational disruption. Organizations are also advised to review their backup server configurations and restrict access to trusted users only. The vendor has provided detailed guidance and best practices for hardening Veeam deployments, including recommendations for both workgroup and domain-joined environments. The vulnerabilities highlight the ongoing risks associated with backup infrastructure and the importance of timely patch management. Security teams are urged to monitor for signs of exploitation and to ensure that all backup-related systems are included in vulnerability management programs. The incident underscores the need for layered security controls and regular review of privileged access within enterprise environments.
Mar 21, 2026
Critical RCE Flaws in Veeam Backup & Replication and Rsync Require Patching
Authorities warned of critical vulnerabilities in two widely used backup and file synchronization products, with the most severe issues enabling remote code execution. In **Veeam Backup & Replication** version `12.3.1.1139` and all earlier `12.x` releases, **CVE-2025-23121** can allow code execution on a backup server when an authenticated domain user account is available, particularly on domain-joined systems. Two additional Veeam flaws, **CVE-2025-24286** and **CVE-2025-24287**, can also lead to arbitrary code execution through backup job modification by an authenticated backup operator or by manipulating local directory contents as a local system user. A separate alert covered **Rsync** version `3.3.0` and earlier, where six server-side vulnerabilities were disclosed. The most critical, **CVE-2024-12084**, can allow arbitrary code execution on a target Rsync server, while additional flaws include **CVE-2024-12085**, **CVE-2024-12747**, **CVE-2024-12086**, **CVE-2024-12087**, and **CVE-2024-12088**; the client application is not affected. Defenders were urged to apply vendor fixes immediately, including upgrading Veeam to version `12.3.2` build `12.3.2.3617` and installing patched Rsync packages provided by Linux distributors.
Apr 23, 2026