INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.
Veeam RCE Flaw Exposes Backup Servers to Remote Code
| 2026-06-09 16:39 CRITICAL MEDIUMExecutive Summary AI-generated
Veeam has released security patches to address a critical flaw in its Backup & Replication software that could result in remote code execution, potentially allowing low-privileged domain users to execute arbitrary code on backup servers connected to an Active Directory domain. The vulnerability carries a CVSS score of 9.4 out of a maximum of 10.0 and has been exploited by ransomware groups. Users are advised to update to the latest version for optimal protection against this critical flaw, which could compromise full system integrity if left unpatched.
Technical Mitigations AI-generated
* Regularly update and patch software: Ensure that all Veeam Backup & Replication versions, including earlier builds, are up-to-date with the latest security patches to prevent exploitation of this vulnerability.
* Use a secure backup strategy: Implement robust backup policies, such as encryption, access controls, and regular backups, to minimize the risk of data loss or unauthorized access in case of an attack.
* Implement least privilege access: Configure domain-joined users to have limited privileges on Backup & Replication servers to reduce the attack surface and prevent low-privilege users from executing arbitrary code.
* Monitor for suspicious activity: Regularly monitor backup server logs and system performance for signs of unauthorized access or malicious activity, which can help detect potential RCE attacks early.
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
FIN7FIN7
ContiContiMazeMazeEgregorEgregorREvilREvil
CVE-2024-40711CVE-2024-40711
CVE-2025-23121CVE-2025-23121
CVE-2026-44963CVE-2026-44963
Target & Sectors
Global Scope
Incident Timeline
November 2024
Threat actors exploited a previously unknown critical vulnerability (CVE-2024-40711) in Veeam RCE to gain unauthorized access and control over backup servers.
Click on any entity below to view its context and source!
tactic
Ransomware
For instance, in November 2024, Sophos X-Ops reported that several ransomware operations, including
the Akira, Fog
, and
Frag
gangs, had weaponized another critical VBR RCE flaw (CVE-2024-40711).
organisation
CVE-2024-40711
For instance, in November 2024, Sophos X-Ops reported that several ransomware operations, including
the Akira, Fog
, and
Frag
gangs, had weaponized another critical VBR RCE flaw (CVE-2024-40711).
organisation
VBR RCE
For instance, in November 2024, Sophos X-Ops reported that several ransomware operations, including
the Akira, Fog
, and
Frag
gangs, had weaponized another critical VBR RCE flaw (CVE-2024-40711).
June 2025
Threat actors exploited a previously unknown vulnerability in Veeam's Backup & Replication solution to gain low-privilege access and execute arbitrary code on affected backup servers.
Click on any entity below to view its context and source!
organisation
CVE-2025-23121
In June 2025, Veeam rolled out security patches to address another critical security vulnerability, tracked
CVE-2025-23121
(CVSS score of 9.9) in its Backup & Replication solution that can allow remote attackers to execute arbitrary code under certain conditions.
vulnerability
CVSS score of 9.9
In June 2025, Veeam rolled out security patches to address another critical security vulnerability, tracked
CVE-2025-23121
(CVSS score of 9.9) in its Backup & Replication solution that can allow remote attackers to execute arbitrary code under certain conditions.
March 2026
Vulnerabilities were exploited remotely by low-privilege users to gain control over Backup servers.
Click on any entity below to view its context and source!
tactic
Remote Code Execution
In March 2026, Veeam
resolved
multiple critical vulnerabilities in Backup & Replication software that, if successfully exploited, could result in remote code execution.
Jun 09, 2026
Threat actors exploited a previously unknown vulnerability in Veeam's backup software to gain unauthorized access and control over affected systems.
2026/06/09
Veeam addressed a critical RCE vulnerability flaw in Backup & Replication that lets low-privileged domain users take control of backup servers.
Click on any entity below to view its context and source!
threat_actor
FIN7
The financially motivated
FIN7
threat group (which often collaborated with the Maze, Egregor, Conti, REvil, and BlackBasta ransomware groups) and the
Cuba ransomware gang
have also both been linked to attacks targeting VBR security flaws.
organisation
Ransomware
"
Often targeted in ransomware attacks
Ransomware gangs have
told BleepingComputer in the past
that they always target Veeam backup servers because this allows them to steal sensitive data, move within breached networks, and block restoration efforts by deleting victims' backups.
“This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.”
Ransomware and extortion groups often target Veeam Backup & Replication because backup systems are a critical part of an organization’s recovery process.
organisation
BleepingComputer
"
Often targeted in ransomware attacks
Ransomware gangs have
told BleepingComputer in the past
that they always target Veeam backup servers because this allows them to steal sensitive data, move within breached networks, and block restoration efforts by deleting victims' backups.
organisation
Backup & Replication
Veeam has released security updates to patch a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers.
Ravie Lakshmanan
Jun 09, 2026
Vulnerability / Backup Software
Veeam has released security patches to address a critical flaw in its Backup & Replication software that could result in remote code execution.
Critical Veeam RCE Flaw Lets Low-Privilege Users Take Over Backup Servers
Veeam addressed a critical RCE vulnerability flaw in Backup & Replication that lets low-privileged domain users take control of backup servers.
organisation
the Backup
"A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," Veeam
said in a Tuesday advisory
.
“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.”
reads the advisory
.
"A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," Veeam
said
in a Tuesday advisory.
organisation
CVE-2026-44963
Veeam has patched a critical remote code execution vulnerability, tracked as CVE-2026-44963 (CVSS v4 Score of 9.4), affecting Backup & Replication version 12.x.
The vulnerability (tracked as CVE-2026-44963 and reported by WatchTowr security researcher Sina Kheirkhah) affects Veeam Backup & Replication (VBR) 12.3.2.4465 and all earlier version 12 builds, and was fixed in
version 12.3.2.4854
.
infrastructure
9.4
Veeam has patched a critical remote code execution vulnerability, tracked as CVE-2026-44963 (CVSS v4 Score of 9.4), affecting Backup & Replication version 12.x.
organisation
CVSS v4 Score
Veeam has patched a critical remote code execution vulnerability, tracked as CVE-2026-44963 (CVSS v4 Score of 9.4), affecting Backup & Replication version 12.x.
organisation
Vulnerability / Backup
Ravie Lakshmanan
Jun 09, 2026
Vulnerability / Backup Software
Veeam has released security patches to address a critical flaw in its Backup & Replication software that could result in remote code execution.
infrastructure
12.3.2
The vulnerability (tracked as CVE-2026-44963 and reported by WatchTowr security researcher Sina Kheirkhah) affects Veeam Backup & Replication (VBR) 12.3.2.4465 and all earlier version 12 builds, and was fixed in
version 12.3.2.4854
.
The issue was fixed in version 12.3.2.4854 and does not affect Veeam Backup & Replication 13.x, which uses a different architecture.
It impacts Veeam Backup & Replication 12.3.2.4465 and all earlier versions of 12 builds.
The shortcoming has been addressed in Veeam Backup & Replication version 12.3.2.4854.
organisation
WatchTowr
The vulnerability (tracked as CVE-2026-44963 and reported by WatchTowr security researcher Sina Kheirkhah) affects Veeam Backup & Replication (VBR) 12.3.2.4465 and all earlier version 12 builds, and was fixed in
version 12.3.2.4854
.
WatchTowr researcher Sina Kheirkhah [@SinSinology] reported the issue.
organisation
Veeam Backup & Replication
The vulnerability (tracked as CVE-2026-44963 and reported by WatchTowr security researcher Sina Kheirkhah) affects Veeam Backup & Replication (VBR) 12.3.2.4465 and all earlier version 12 builds, and was fixed in
version 12.3.2.4854
.
The issue was fixed in version 12.3.2.4854 and does not affect Veeam Backup & Replication 13.x, which uses a different architecture.
Veeam Backup & Replication RCE Flaw Lets Domain Users Run Remote Code.
organisation
VBR
The vulnerability (tracked as CVE-2026-44963 and reported by WatchTowr security researcher Sina Kheirkhah) affects Veeam Backup & Replication (VBR) 12.3.2.4465 and all earlier version 12 builds, and was fixed in
version 12.3.2.4854
.
organisation
CVSS
Tracked as
CVE-2026-44963
, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.0.
infrastructure
Windows
However, unfortunately, many companies have joined their Veeam servers to a Windows domain, ignoring Veeam's
long-standing best practices
.
organisation
RCE
New Veeam vulnerability exposes backup servers to RCE attacks.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
victims
550,000 customers
Veeam's products are used by over 550,000 customers worldwide, including 82% of Fortune 500 companies and 74% of Global 2,000 firms.
organisation
Active Directory
The flaw could allow a low-privileged domain user to execute code on backup servers connected to an Active Directory domain, potentially leading to full system compromise.
Tactical Metrics
Metrics
infrastructure
12.3.2
Software Version
Click for context!
It impacts Veeam Backup & Replication 12.3.2.4465 and all earlier versions of 12 builds.
The shortcoming has been addressed in Veeam Backup & Replication version 12.3.2.4854.
The vulnerability (tracked as CVE-2026-44963 and reported by WatchTowr security researcher Sina Kheirkhah) affects Veeam Backup & Replication (VBR) 12.3.2.4465 and all earlier version 12 builds, and was fixed in
version 12.3.2.4854
.
The issue was fixed in version 12.3.2.4854 and does not affect Veeam Backup & Replication 13.x, which uses a different architecture.
Metrics
infrastructure
Windows
Affected Product
However, unfortunately, many companies have joined their Veeam servers to a Windows domain, ignoring Veeam's
long-standing best practices
.
Metrics
victims
550,000
Customers
Veeam's products are used by over 550,000 customers worldwide, including 82% of Fortune 500 companies and 74% of Global 2,000 firms.
Metrics
infrastructure
9.4
Software Version
Veeam has patched a critical remote code execution vulnerability, tracked as CVE-2026-44963 (CVSS v4 Score of 9.4), affecting Backup & Replication version 12.x.
Intelligence Sources
BleepingComputer
2026-06-09
New Veeam vulnerability exposes backup servers to RCE attacks
BleepingComputer
Security Affairs
2026-06-09
The Hacker News
2026-06-09
The Hacker News
2026-06-09
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-15T10:17
Comprehensive Tactical Telemetry
Highly Correlated Entities
17x
organisation
Identified Entity
Vulnerability / Backup
entity
5x
timeline
Temporal Reference
Jun 09, 2026
date
4x
malware
Malware Payload
Maze
tool
4x
general metric
%
82
%
3x
tactic
Cyber Operation Type
Ransomware
tactic
3x
vulnerability
Exploited CVE
CVE-2026-44963
cve
2x
tactic
MITRE ATT&CK Technique
T1592.002 - Software
technique
2x
vulnerability
CVSS Score
9
score
2x
infrastructure
Software Version
12.3.2
version
Contextual Telemetry
Context Block
10 METRICS
general metric
Jun
9
jun
general metric
Builds
12
builds
general metric
Version
13
version
source region
Origin Country
Cuba
country
threat actor
APT Group
FIN7
actor
attribution
Attributing Entity
the Cybersecurity and Infrastructure Security Agency
authority
infrastructure
Affected Product
Windows
software
victims
Customers
550,000
customers
general metric
Companies
500
companies
general metric
Firms
2,000
firms
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.