Veeam has released security patches to address a critical flaw in its Backup & Replication software that could result in remote code execution.
Tracked as CVE-2026-44963, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.0.
“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user,” Veeam said in a Tuesday advisory.
It credited watchTowr researcher Sina Kheirkhah for responsibly discovering and reporting the issue. It impacts Veeam Backup & Replication 12.3.2.4465 and all earlier versions of 12 builds.
Veeam has noted that the vulnerability does not affect any version 13.x build of the backup software due to architectural changes introduced in version 13.
The shortcoming has been addressed in Veeam Backup & Replication version 12.3.2.4854.
In March 2026, Veeam resolved multiple critical vulnerabilities in Backup & Replication software that, if successfully exploited, could result in remote code execution.
It’s essential that users update to the latest version for optimal version, particularly given that prior vulnerabilities in the program have been exploited by bad actors, including ransomware groups.
