Skip to main content
Mallory
Back to vulnerabilities
Critical

RCE in Veeam Backup & Replication domain-joined Backup Server

IdentifiersCVE-2026-44963CWE-502· Deserialization of Untrusted Data

CVE-2026-44963 is a critical remote code execution vulnerability in Veeam Backup & Replication affecting 12.x builds through 12.3.2.4465. The issue allows an authenticated domain user to execute arbitrary code remotely on the Veeam Backup Server when the server is joined to an Active Directory/Windows domain. Supporting content indicates the CVE has been assigned CWE-502, consistent with deserialization of untrusted data. The flaw affects Veeam Backup & Replication 12 through 12.3.2.4465 and earlier 12.x builds; version 13.x is reported as not affected due to architectural changes.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution on the backup server by a low-privileged authenticated domain user and can lead to full compromise of the affected backup server. Given the role of Veeam Backup & Replication infrastructure, compromise may expose backup data, enable deletion or tampering of backups, facilitate credential access, and support lateral movement deeper into the environment. The vulnerability is especially severe because backup infrastructure is a high-value target for ransomware and extortion operations.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by removing Veeam Backup Servers from Windows domain membership where operationally feasible, as the issue is described as affecting domain-joined deployments. Restrict and review domain user access to systems that can reach or interact with the backup server, monitor backup infrastructure for suspicious lateral movement and privilege escalation activity, and prioritize isolation and hardening of backup infrastructure. These measures are compensating controls only and do not replace upgrading to the fixed version.

Remediation

Patch, then assume compromise.

Upgrade Veeam Backup & Replication to version 12.3.2.4854 or later. Veeam states the vulnerability is fixed in 12.3.2.4854. Version 13.x is not affected. Organizations running unsupported older releases were not formally tested in the cited reporting and should be treated as potentially vulnerable until upgraded to a fixed supported version. Review the relevant Veeam vendor advisory/knowledge base referenced in the content for product-specific update guidance.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

21 SOURCESView more in app
security online infoNews
Jun 10, 2026
Fix Veeam Backup Vulnerability & Remote Code Execution

A critical authenticated remote code execution vulnerability affecting Veeam Backup & Replication on domain-joined backup servers running vulnerable version 12 builds.

Read more
scworldNews
Jun 9, 2026
Veeam releases security update for critical backup server vulnerability | brief | SC Media

A critical remote code execution vulnerability in Veeam Backup & Replication that allows an authenticated domain user to achieve RCE on domain-joined backup servers.

Read more
security affairsNews
Jun 9, 2026
Critical Veeam RCE flaw Lets Low-Privilege Users Take Over Backup Servers

A critical remote code execution vulnerability in Veeam Backup & Replication 12.x that allows an authenticated low-privileged domain user to execute code on the backup server, potentially resulting in full system compromise.

Read more
cyber security newsNews
Jun 9, 2026
Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers

A critical authenticated remote code execution vulnerability in Veeam Backup & Replication that affects domain-joined backup servers, allowing any authenticated domain user to execute arbitrary code on the backup server.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-44963
NVD
nvd.nist.gov/vuln/detail/CVE-2026-44963
MITRE CWE · CWE-502
Deserialization of Untrusted Data
veeam.com
veeam.com/kb4869