Veeam patches critical RCE in Backup & Replication

Veeam has released updates to fix CVE-2026-44963, a critical remote code execution vulnerability in Veeam Backup & Replication. The flaw carries a CVSS score of 9.4 and is resolved in version 12.3.2.4854. Builds in the 13.x series are not affected.

In a Tuesday advisory, Veeam credited watchTowr researcher Sina Kheirkhah for reporting the issue. The advisory describes the vulnerability as “a vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.”

The flaw affects Veeam Backup & Replication 12.3.2.4465 and all earlier 12.x builds. Veeam said architectural changes in version 13 prevent the issue from occurring in 13.x releases. The advisory did not report active exploitation tied to this CVE at the time of disclosure.

Under the conditions described, an authenticated domain user with valid credentials could execute arbitrary code on the backup server. Successful exploitation could affect backup integrity and availability.

Veeam previously patched multiple critical Backup & Replication vulnerabilities in March 2026 that could also lead to remote code execution. Security responders and vendors have reported past incidents in which flaws in backup software were used by malicious actors, including ransomware operators.

Administrators running 12.x builds should verify their build number and upgrade to 12.3.2.4854 to remediate the vulnerability. Organizations on 13.x do not require this fix for CVE-2026-44963 but should continue to apply vendor patches and keep software current.