Veeam has released an emergency security update addressing CVE-2026-44963, a critical remote code execution (RCE) vulnerability in Veeam Backup & Replication that carries a CVSS score of 9.4. What makes this flaw particularly alarming is its accessibility: any authenticated domain user — not just a privileged administrator — can trigger remote code execution on the backup server. Security teams are urged to apply the patch without delay.
Vulnerability Details
According to Veeam's advisory, CVE-2026-44963 allows a remote code execution attack originating from a low-privilege domain user account. The vulnerability affects Veeam Backup & Replication servers that are joined to an Active Directory domain — the most common deployment configuration in enterprise environments.
Technical profile:
CVE: CVE-2026-44963
CVSS Score: 9.4 (Critical)
Attack Type: Remote Code Execution
Auth Level: Domain user (low privilege)
Condition: Backup server must be domain-joined
Patch: Available — apply immediately
The flaw exists in how Veeam Backup & Replication handles remote procedure calls or service requests from domain-authenticated clients. A specially crafted request from a standard domain account can trigger code execution with the privileges of the Veeam service — which in most deployments runs with highly elevated permissions to manage backup workloads across the environment.
The "Domain User" Problem
The threshold for exploitation — a standard domain user — is important to understand in context. In a typical enterprise Active Directory environment:
- Every employee has domain credentials
- Every workstation is a potential pivot point — an attacker who compromises any endpoint inherits the credentials of any logged-in user
- Service accounts and shared credentials are common — a single compromised credential can provide domain-user-level access to multiple systems
This means the exploitable population is not "privileged administrators" — it is every human and machine on the domain. Ransomware operators who gain initial access through phishing or malware can immediately leverage domain credentials from the compromised machine to target Veeam backup servers.
Attack Scenario: Ransomware Deployment
The practical exploitation path in a ransomware campaign:
| Stage | Action |
|---|---|
| Initial Access | Phishing email delivers InfoStealer or RAT |
| Credential Harvest | Attacker extracts domain credentials from infected host |
| Reconnaissance | Scans internal network, identifies Veeam backup server |
| Exploitation | Sends crafted request using domain creds — CVE-2026-44963 triggered |
| Backup Destruction | Deletes/corrupts backup jobs and recovery points |
| Ransomware Deployment | Encrypts primary infrastructure |
| Extortion | Victim cannot restore from backup — maximum leverage |
This scenario plays out repeatedly in real ransomware incidents. The elimination of backup recovery capability is the attack that converts a bad day into a catastrophic one.
Veeam's Market Position Amplifies Risk
Veeam Backup & Replication holds a dominant position in the enterprise backup market. Industry estimates consistently place Veeam among the top two backup solutions used by Fortune 500 companies and mid-market enterprises globally. This means:
- A critical Veeam vulnerability has a massive addressable attack surface
- Ransomware tools and playbooks are already optimized to target Veeam infrastructure
- Prior Veeam CVEs have been weaponized quickly — the interval between patch release and active exploitation has been measured in hours to days in past incidents
Organizations should not treat this as a standard monthly patch — it warrants emergency priority treatment.
Remediation: What to Do Right Now
Step 1: Patch
Veeam has issued patches for all supported versions of Backup & Replication. The exact patched version varies by your current release. Check the Veeam Knowledge Base for the update applicable to your installation.
Step 2: Verify Service Account Privileges
While patching, review the privileges of the Veeam service account:
- Does the Veeam service account have Domain Admin rights? If yes, this is a misconfiguration that should be corrected — Veeam operates correctly with a dedicated service account holding specific delegated permissions.
- Is the service account password rotated regularly and distinct from any user account?
- Is the service account excluded from interactive login via Group Policy?
Step 3: Implement Network Segmentation
Domain-joined backup servers should be isolated on a dedicated backup network segment:
Recommended Network Segmentation for Backup Infrastructure:
- Backup server VLAN isolated from general user VLAN
- Firewall rules: only Veeam proxies, repositories, and designated admin IPs can reach backup server ports
- Block inbound connections to Veeam service ports from workstation subnets
This does not prevent exploitation if the attacker has already pivoted to a machine in the backup network segment — but it significantly raises the bar for initial access.
Step 4: Enable Immutable Backups
Veeam supports immutable backup repositories via:
- Linux hardened repositories with immutability enabled (XFS or ext4 with immutable flag)
- S3-compatible object storage with Object Lock enabled
- Veeam Cloud Connect with immutability features
An immutable backup copy ensures that even if an attacker achieves code execution on the backup server, they cannot delete or modify the protected backup data within the immutability window.
Step 5: Verify Offsite Copies
Confirm that your offsite or cloud backup copies are:
- Accessible with credentials not stored on the primary backup server
- Not mounted or accessible from domain-joined systems that could be reached by the attacker
- Within the retention window to support a full recovery scenario
CVSS 9.4: Understanding the Score
A CVSS 9.4 places CVE-2026-44963 firmly in Critical territory. The breakdown:
| Vector | Value | Rationale |
|---|---|---|
| Attack Vector | Network | Remote exploitation across the domain |
| Attack Complexity | Low | Straightforward exploitation |
| Privileges Required | Low | Domain user sufficient |
| User Interaction | None | No victim interaction needed |
| Scope | Changed | Backup server compromise affects entire protected environment |
| Confidentiality | High | Access to all backup data |
| Integrity | High | Can modify or destroy backups |
| Availability | High | Can disable backup services |
The "Changed" scope designation reflects the fact that a successful exploit affects systems beyond the vulnerable component itself — in this case, the entire backup ecosystem.
Key Takeaways
- CVE-2026-44963 is CVSS 9.4 — any domain user can trigger RCE on Veeam backup servers
- Backup servers are the most critical ransomware target — exploitation eliminates recovery options
- Patch immediately — do not wait for a scheduled maintenance window
- Implement immutable backups as a defense-in-depth control that survives even a successful compromise
- Review service account privileges and network segmentation to harden the backup infrastructure beyond the patch