Critical Veeam Backup & Replication Flaw Enables Remote Code Execution

Veeam has issued emergency security updates to address a critical flaw in its Backup & Replication software that could allow an authenticated domain user to execute arbitrary code remotely on affected servers. The vulnerability, designated CVE-2026-44963, impacts domain-joined backup servers and carries a CVSS score of 9.4, reflecting its severe potential for system compromise.

The flaw enables remote code execution (RCE) by a user with valid domain credentials, effectively bypassing the intended access controls. According to Veeam's advisory, the vulnerability does not require administrative privileges on the domain, only a standard domain user account. This broadens the pool of potential attackers within an organization and elevates the risk drastically.

Attackers who successfully exploit the flaw can gain full control over the backup server, potentially encrypting or deleting critical backups, pivoting to other systems in the domain, or establishing persistence for long-term access. The exploit does not require user interaction, and no technical mitigations beyond patching are available at this time.

Veeam recommends that all customers running affected versions of Backup & Replication apply the provided security updates immediately. The company has not released a workaround for unpatched systems, urging administrators to prioritize deployment. Specific version numbers were not disclosed in the available sources, but the advisory labels the flaw as critical.

While no active exploitation has been reported in the wild, security researchers widely expect proof-of-concept code to emerge, given the high severity and broad install base of Veeam solutions. Organizations should treat this patch as urgent, particularly in environments where domain credentials are widely accessible.