cbcvebase.
CVE-2026-44963
published 2026-06-09

CVE-2026-44963: A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

PriorityP266critical9.4CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
2.04%
78.7th percentile
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

Affected

1 ranges
VendorProductVersion rangeFixed in
veeambackup_and_replication< 12.3.212.3.2

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-44963 is exploitable only on Veeam Backup & Replication servers that are joined to a Windows domain; scope detection efforts to domain-joined VBR instances running version 12 builds up to and including 12.3.2.4465
  • Any low-privileged authenticated domain user can trigger the RCE; monitor for unexpected process spawning or outbound connections originating from the Veeam Backup Service (VeeamBackupSvc) process on the backup server
  • Patch-diffing of version 12.3.2.4854 against 12.3.2.4465 is expected to be used by attackers to develop exploits; prioritise detection of exploitation attempts against unpatched VBR 12.x deployments immediately after patch release
  • Ransomware groups historically target Veeam backup servers to steal data, perform lateral movement, and delete backups; correlate RCE exploitation of CVE-2026-44963 with subsequent backup deletion or exfiltration activity
  • ·Vulnerability does NOT affect Veeam Backup & Replication version 13.x builds due to architectural changes; detection rules targeting this CVE should be scoped to version 12.x only
  • ·Exploitation requires the backup server to be domain-joined; standalone (workgroup) VBR deployments following Veeam best practices are not affected
  • ·No active exploitation has been reported at time of disclosure; however, threat actor development of exploits is anticipated post-patch
  • ·Fixed version is 12.3.2.4854; all version 12 builds at or below 12.3.2.4465 are vulnerable
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.