Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers

A critical RCE in Veeam Backup & Replication (CVE-2026-44963, CVSS v4 9.4) enables any authenticated domain user to execute arbitrary code on domain-joined backup servers for versions 12 through 12.3.2.4465. Veeam released a fix in 12.3.2.4854 (June 9, 2026); organizations are advised to patch immediately, audit whether backup servers are domain-joined, consider workgroup configurations per best practices, and review domain user access to reduce risk of exploitation and ransomware targeting.