### Critical RCE Flaw Discovered in Veeam Backup & Replication **Veeam** has pushed out security updates to mitigate a severe security flaw in its **Backup & Replication (VBR)** product. The vulnerability, tracked as **CVE-2026-44963**, was reported by security researcher **Sina Kheirkhah** of **WatchTowr** and could enable remote code execution on domain-joined backup servers. The flaw impacts **Veeam Backup & Replication (VBR)** versions 12.3.2.4465 and all earlier version 12 builds. The critical issue has been resolved in version 12.3.2.4854. According to **Veeam**'s advisory, the vulnerability allows "remote code execution (RCE) on the Backup Server by an authenticated domain user." It's important to note that **Veeam Backup & Replication** 13.x builds are not affected due to significant architectural changes. ### Best Practices Ignored: The Domain-Joined Risk While the vulnerability can be exploited by any low-privileged domain user, it specifically affects **Veeam Backup & Replication** installations that are joined to a domain. This requirement highlights a common deviation from **Veeam**'s long-standing best practices, which advise against joining backup servers to a Windows domain to minimize the attack surface. Unfortunately, many organizations have overlooked this critical recommendation, inadvertently exposing their backup infrastructure to this type of threat. This oversight provides a clear pathway for attackers to potentially gain control over crucial data recovery systems. ### Patch Now: The Race Against Attackers Although there are currently no reports of active exploitation, **Veeam** has issued a strong warning that attackers are likely to begin reverse-engineering patches as soon as they are disclosed. This practice allows malicious actors to develop exploits for unpatched systems rapidly. "This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay," **Veeam** emphasized. The window between patch release and exploit development is often narrow, making prompt action essential for protecting sensitive backup environments. ### Veeam Servers: A Prime Target for Ransomware **Veeam** products are widely used, with over 550,000 customers globally, including a significant portion of Fortune 500 and Global 2000 companies. This widespread adoption, coupled with the critical role of backup servers, makes them an attractive target for ransomware gangs. Ransomware operators frequently target backup servers to steal sensitive data, facilitate lateral movement within breached networks, and sabotage recovery efforts by deleting or encrypting backups. The **Cybersecurity and Infrastructure Security Agency (CISA)** has previously flagged four **Veeam Backup & Replication** flaws as actively exploited in attacks, all of which have been leveraged by ransomware groups. For instance, in November 2024, ransomware operations such as **Akira**, **Fog**, and **Frag** were reported to have weaponized another critical **VBR** RCE flaw, **CVE-2024-40711**. Notorious threat groups like **FIN7** and the **Cuba** ransomware gang have also been linked to attacks exploiting **VBR** security vulnerabilities. Given this history, the new **CVE-2026-44963** flaw presents a significant risk that organizations must address without delay.