Security
Veeam Backup and Replication CVE-2026-44963: domain-user RCE on backup servers
- Category: Security
- Status: confirmed
- Sources: Veeam KB4696, Security Affairs
- Summary: Veeam patched CVE-2026-44963 (CVSS v4 9.4) in Veeam Backup and Replication 12.3.2.4854, released 2026-06-09 via KB4696. Any authenticated Active Directory domain user on a domain-joined backup server can exploit the flaw to execute arbitrary code on that server. All v12 builds through 12.3.2.4465 are affected; version 13.x is not affected due to architectural changes introduced in that major version. No exploitation was observed at time of disclosure.
- Why it matters: Backup servers are primary ransomware targets; domain-joined Veeam v12 deployments should apply KB4696 immediately or isolate backup servers from Active Directory if patching must be delayed.