Skip to main content
Mallory
Back to vulnerabilities
Critical

RCE in Veeam Backup & Replication domain-joined Backup Server

IdentifiersCVE-2026-44963CWE-502· Deserialization of Untrusted Data

CVE-2026-44963 is a critical remote code execution vulnerability in Veeam Backup & Replication affecting version 12.x builds through 12.3.2.4465, including earlier version 12 releases. The flaw allows an authenticated domain user to execute arbitrary code remotely on the Veeam Backup Server when that server is joined to an Active Directory domain. The provided supporting content indicates the CVE has been assigned CWE-502, consistent with deserialization of untrusted data. Veeam states that workgroup deployments are not affected by this specific attack vector, and that architectural changes in version 13.x prevent exploitation in that release line.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a low-privileged authenticated domain user to achieve remote code execution on the backup server, potentially resulting in full compromise of the Veeam Backup Server. Given the role of backup infrastructure, this can enable theft of backed-up data, deletion or encryption of backups, credential access, lateral movement, and disruption of recovery operations. The CVSS v4 score is reported as 9.4, reflecting high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by ensuring Veeam Backup Servers are not joined to a Windows domain where operationally feasible, in line with Veeam best-practice guidance. Audit backup infrastructure for domain-joined deployments, restrict domain user access to Veeam servers, and monitor backup systems for suspicious lateral movement and privilege escalation activity. Workgroup deployments are described as not affected by this specific attack vector.

Remediation

Patch, then assume compromise.

Upgrade Veeam Backup & Replication to version 12.3.2.4854 or later. Veeam states that version 12.3.2.4465 and all earlier version 12 builds are affected, while version 13.x is not affected due to architectural changes. Organizations should prioritize patching domain-joined backup servers immediately and review unsupported older versions as likely vulnerable.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app
security online infoNews
Jun 10, 2026
Fix Veeam Backup Vulnerability & Remote Code Execution

A critical authenticated remote code execution vulnerability affecting Veeam Backup & Replication on domain-joined backup servers running vulnerable version 12 builds.

Read more
scworldNews
Jun 9, 2026
Veeam releases security update for critical backup server vulnerability | brief | SC Media

A critical remote code execution vulnerability in Veeam Backup & Replication that allows an authenticated domain user to achieve RCE on domain-joined backup servers.

Read more
security affairsNews
Jun 9, 2026
Critical Veeam RCE flaw Lets Low-Privilege Users Take Over Backup Servers

A critical remote code execution vulnerability in Veeam Backup & Replication 12.x that allows an authenticated low-privileged domain user to execute code on the backup server, potentially resulting in full system compromise.

Read more
cyber security newsNews
Jun 9, 2026
Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers

A critical authenticated remote code execution vulnerability in Veeam Backup & Replication that affects domain-joined backup servers, allowing any authenticated domain user to execute arbitrary code on the backup server.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity16

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-44963
NVD
nvd.nist.gov/vuln/detail/CVE-2026-44963
MITRE CWE · CWE-502
Deserialization of Untrusted Data
veeam.com
veeam.com/kb4869