Your backup server just became a CVSS 9.4 problem.
Your backup server just became a CVSS 9.4 problem.
Veeam disclosed CVE-2026-44963 on June 9: any authenticated domain user — not an admin, not a privileged account — can execute code directly on a Veeam Backup & Replication server. A standard Active Directory login is enough. The flaw was discovered by watchTowr researcher Sina Kheirkhah.
Affected: all Veeam Backup & Replication v12 builds up to 12.3.2.4465. Version 13.x is not affected due to architectural changes. Fix: update to 12.3.2.4854, released June 9.
The risk isn’t just the CVE score. Ransomware operators go after backup servers first. Control the backups, control the recovery conversation. Organizations that assume their Veeam instance is safe because it sits on the internal network have not thought through what any domain user on that network can now do.
The historical pattern is consistent. CVE-2023-27532 had a public proof-of-concept within 48 hours of disclosure. CVE-2024-40711 was exploited in active ransomware campaigns within days. There is no confirmed in-the-wild exploitation of CVE-2026-44963 as of June 9. That window closes in days, not weeks.
If you own this, do this:
Patch to 12.3.2.4854 immediately. There is no workaround — the only fix is the update.
Audit network access to your Veeam server. If domain user workstations can reach ports 9395 or 9399, that is your exposure surface. Firewall it now.
Isolate backup infrastructure. Dedicated VLAN, separate administrator credentials for Veeam, no direct access from corporate user networks. This is Veeam’s own hardening guidance and it protects against this class of attack.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
