Veeam Backup & Replication RCE Flaw Lets Domain Users Run Remote Code
Veeam released security patches this week to address a critical remote code execution (RCE) vulnerability in its Backup & Replication software. The flaw, designated CVE-2026-44963, has a high severity rating of 9.4 out of a possible 10.0 on the Common Vulnerability Scoring System (CVSS). According to a Tuesday advisory from Veeam, the vulnerability permits an authenticated domain user to execute arbitrary code on the Backup Server. This means an attacker who has already gained access to a domain account within an organization's network could exploit this flaw to compromise the Veeam Backup Server. The company has not disclosed specific details about the exploit's technical mechanisms or whether it has been actively exploited in the wild. However, the severity of the CVSS score indicates a significant risk to data integrity and system availability for organizations relying on Veeam's backup solutions. Users of Veeam Backup & Replication are strongly advised to apply the provided security patches immediately to mitigate the risk of exploitation. Further details on the patches and their deployment can be found on Veeam's official support portal.
Original source — read the full reporting at the publisher:
Read on The Hacker News