CVE-2026-44963: A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.
Metrics
- CVSS v4.0
- 9.4
- Severity
- CRITICAL
- Fixed in
- 12.3.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A remote code execution vulnerability affects Veeam Backup and Replication versions prior to 12.3.2. The flaw is reachable over the network and requires only a low-privilege domain user account to exploit, with no user interaction needed. Successful exploitation gives an attacker full code execution on the Backup Server, along with high-impact compromise of confidentiality, integrity, and availability across both the local system and connected scopes. A patched-image rebuild at version 12.3.2 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images and pipeline builds, including custom-built images that bundle Veeam Backup and Replication. Any image carrying a vulnerable version below 12.3.2 is flagged automatically.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.4 (Critical) and weighting it against each environment's compliance policy to assign appropriate urgency. Triage routing directs findings to the correct team or inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Veeam Backup and Replication version 12.3.2 becomes available on HarborGuard as soon as the upstream package is resolvable. For customers who opt into auto-remediation, HarborGuard can perform a rebuild, run regression tests, and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Backup Server over the network; the service must be accessible from the attacker's position.
- AuthenticationRequired
A low-privilege domain user account is sufficient; no administrative or elevated permissions are required.
- Victim interactionNot required
No victim action is needed; the attacker can trigger the vulnerability without any user involvement.
- Attack complexityDetail
Exploit complexity is low, with no special conditions, race windows, or environmental factors required for reliable execution.
Blast Radius
- Executes arbitrary code on the Backup Server host, giving the attacker a full shell or process under the server's execution context.
- Reads backup data, credentials, and configuration stored on or accessible from the Backup Server.
- Modifies or deletes backup jobs, backup data, and server configuration, potentially destroying recovery points.
- Disrupts backup and replication services, preventing recovery operations and affecting downstream systems connected to the Backup Server.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-44963 is active across all scanning pipelines, matching images that carry Veeam Backup and Replication below version 12.3.2. Given the Critical CVSS score of 9.4, this CVE is prioritized in triage queues by default. For customers who opt into auto-remediation, HarborGuard can rebuild affected images at version 12.3.2, run a regression test suite, and open a PR against impacted workloads. The median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual review before merging, the rebuild artifact and test results are staged and surfaced in the remediation dashboard for one-click approval.
Fix available
- Veeam / Backup and Replication< 12.3.2 (from 0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H