Veeam Software has released an emergency patch for CVE-2026-44963, a critical remote code execution vulnerability in Veeam Backup & Replication that allows any user with Active Directory domain credentials to execute arbitrary code on the Veeam backup server. The vulnerability is in the Veeam Backup Serviceโs API endpoint, which improperly validates the privilege level required to invoke backup service operations.
Vulnerability Details
CVSS 9.4 (Critical): Network access vector, low privilege required (any domain user), no user interaction, scope change, critical confidentiality and integrity impact.
The Veeam Backup Service API accepts requests from domain-authenticated users to manage backup jobs, restore points, and service operations. CVE-2026-44963 is an insufficient authorisation check in a specific API operation that should require Veeam administrator-level credentials but can be invoked by any domain-authenticated user. The API endpoint accepts serialised .NET objects โ a class of vulnerability that has historically enabled remote code execution through malicious object deserialization โ and does not adequately verify the callerโs Veeam privilege level before processing the operation.
Affected versions: Veeam Backup & Replication versions 12.1 and earlier. The fix is included in Veeam Backup & Replication 12.2.
Attack path: An attacker with any domain user credentials on the network โ including a regular workstation user with no IT admin privileges โ can craft a request to the Veeam Backup Service API and achieve code execution on the backup server with the service account privileges (typically Local System or a dedicated high-privilege service account).
Why Backup Infrastructure Is a Critical Attack Target
Ransomware operators have made backup infrastructure a primary target. The tactical logic is straightforward: if an organisationโs backups are destroyed or encrypted before the ransomware payload deploys on production systems, the organisation cannot recover without paying the ransom.
CVE-2026-44963 fits precisely into this attack playbook:
- Attacker gains initial access via phishing, VPN exploit, or credential theft โ achieving domain user privilege
- CVE-2026-44963 provides code execution on the Veeam backup server without needing elevated Active Directory credentials
- From the backup server, the attacker can delete backup job history, corrupt backup repositories, disable backup job schedules, or exfiltrate backup data
- With backup infrastructure neutralised, ransomware is deployed on production systems
Veeam Backup & Replication is the market-leading enterprise backup platform, deployed in a majority of large enterprise environments. The combination of ubiquitous deployment and high-value target status makes CVE-2026-44963 a priority for ransomware actors.
Historical Context
Veeam has been subject to multiple critical vulnerabilities in recent years that have been exploited by ransomware groups:
- CVE-2023-27532: Credential extraction from Veeam configuration database (exploited by FIN7 and Akira ransomware)
- CVE-2024-40711: Unauthenticated RCE (exploited in multiple 2024 ransomware campaigns)
- CVE-2026-44963: RCE via domain user credentials (current)
The pattern of exploitation following Veeam vulnerability disclosures makes immediate patching non-negotiable.
Recommended Actions
Update to Veeam Backup & Replication 12.2: This release patches CVE-2026-44963. The update is available from the Veeam Product Downloads portal.
Network segmentation for backup infrastructure: The Veeam Backup Service API (default port 9419/TCP) should be accessible only from authorised management workstations and backup infrastructure components โ not from general domain workstation networks. Review firewall rules between workstation VLANs and backup server network segments.
Dedicated service account with minimal AD privileges: The Veeam service account should be a dedicated account with the minimum Active Directory permissions required for backup agent deployment and management. It should not be a Domain Admin account. Limiting the service accountโs AD scope limits the lateral movement capability if the backup server is compromised.
Monitor Veeam API access: Enable Veeam audit logging and alert on API access from unexpected source IP addresses, unusual backup job modifications, or backup deletion events. These are the post-exploitation indicators that backup infrastructure is being targeted.
Immutable backups: For organisations that cannot immediately patch, ensure that at least one backup copy is stored in an immutable format (S3 Object Lock, Linux repository with immutability enabled, tape, or air-gapped storage). Immutable copies cannot be deleted through the Veeam management API regardless of the exploiting userโs privilege level.
Share this article