Overview
- Veeam released a security update on Tuesday, June 9, 2026 that fixes CVE-2026-44963 in Backup & Replication 12.x with version 12.3.2.4854 while version 13.x is not affected due to an architectural change.
- The flaw allowed any authenticated low-privileged Active Directory domain user to execute remote code on domain-joined backup servers, creating a direct route to take over backup systems.
- Veeam and multiple reporters say there are no confirmed in-the-wild exploits yet but the issue is high severity (CVSS v4 ≈ 9.4) and attackers commonly reverse-engineer patches to target unpatched installations.
- Backup servers are a prime target for ransomware and extortion gangs because compromising them lets attackers steal backup archives, gain credentials for lateral movement, and delete backups to block recovery.
- Organizations should install 12.3.2.4854 immediately, consider removing backup servers from Active Directory where feasible, verify backup integrity and restoration procedures, and monitor for suspicious activity on backup hosts.