CVE-2026-44963: Critical RCE in Veeam Backup & Replication - Patch Now
Hey everyone,
Just saw the advisory drop regarding CVE-2026-44963 in Veeam Backup & Replication. This one looks nasty. It's scored a 9.4 on the CVSS scale and allows for Remote Code Execution (RCE) on the Backup Server.
What's particularly concerning is the low barrier to entry: Veeam states that an authenticated domain user can trigger this. Given that backup servers are often the "crown jewels" of an infrastructure (having access to everything), this is a massive privilege escalation risk. If an attacker compromises a standard domain user account, they could potentially leverage this to pivot to the backup server and tamper with or encrypt your backups.
We are currently scanning our environment to identify unpatched instances. Here is a quick PowerShell snippet to check the installed version if you are managing multiple servers:
# Get Veeam Build Number from Registry
$regPath = "HKLM:\Software\Veeam\Veeam Backup and Replication"
if (Test-Path $regPath) {
$version = (Get-ItemProperty $regPath).Version
Write-Host "Veeam Version detected: $version"
} else {
Write-Host "Veeam Backup & Replication not found."
}
While we wait for the full technical deep dive, I recommend restricting access to the Veeam console and ensuring your service accounts have strictly limited privileges.
Has anyone started rolling out the patches yet? I'm worried about potential service disruptions during the update process given how critical these servers are.
We patched our dev environment about an hour ago. The process was smoother than expected, but you definitely need to stop the Veeam Backup Service first.
From a detection standpoint, we are adding a Sigma rule to monitor for unusual child processes spawned by Veeam.Backup.Service.exe. If you see cmd.exe or powershell.exe popping up as a child of that service, you're likely already compromised.
Great catch on the registry script. Just ran it across our fleet and found two legacy servers still on an older build from last year.
For anyone running Veeam in AWS or Azure, check your security groups. Ensure port 6180 (TCP) isn't exposed to the world. While this requires auth, reducing the attack surface is always a good move during patching windows.
Rita, to follow up on detection, monitor for unexpected child processes spawned by Veeam.Backup.Service.exe. We're hunting using this KQL query in Sentinel to catch potential post-exploitation activity:
DeviceProcessEvents
| where InitiatingProcessFileName == "Veeam.Backup.Service.exe"
| where FileName in~ ("powershell.exe", "cmd.exe")
Given the privilege escalation potential, enabling just-in-time (JIT) access for the backup server might be a prudent temporary measure until full patching is complete.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access