Veeam Backup and Replication Remote Code Execution via Deserialization Allows Domain User Takeover (CVE-2026-44963)
Scope: Veeam Backup and Replication Version 12.x (All Builds up to and Including 12.3.2.4465) Joined to a Windows Domain
Severity: High
A critical deserialization vulnerability (CVSS 9.4) in Veeam Backup and Replication 12.x, discovered by watchTowr researcher Sina Kheirkhah, allows any authenticated low-privilege domain user to achieve remote code execution on domain-joined backup servers by sending a crafted payload to the Veeam Backup Service's exposed .NET Remoting endpoint, exploiting a BinaryFormatter deserialization gadget chain not on Veeam's blocklist. Given that backup servers centrally store credentials for vCenter, ESXi hosts, cloud providers, and entire backup catalogs, compromise enables attackers to delete, encrypt, or exfiltrate all backup data, neutralizing an organization's ability to recover from a ransomware attack, a tactic ransomware groups including Akira, Fog, and Frag have previously weaponized against Veeam infrastructure. Organizations running version 12.x on domain-joined servers must upgrade to version 12.3.2.4854 immediately; version 13.x builds are not affected due to architectural changes, making migration to v13 an additional long-term remediation option, and as a defense-in-depth measure network access to the Veeam Backup Service on TCP port 8000 should be restricted to authorized management hosts only.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.