CVE-2026-44963 — Veeam Backup & Replication: authenticated domain-user deserialization RCE on the backup server (CVSS 9.4)

Veeam patched CVE-2026-44963 (CVSS v4 9.4, CWE-502) on 9 June: any authenticated domain user — no elevated Veeam privilege required — can execute code on the Backup Server when it is domain-joined; workgroup servers are unaffected (Veeam, 2026-06-09). It affects all v12 builds up to 12.3.2.4465 (fixed in 12.3.2.4854); v13.x is not affected. Reported by watchTowr's Sina Kheirkhah (The Hacker News, 2026-06-09). No ITW exploitation is confirmed, but backup infrastructure is a perennial pre-encryption ransomware target (Akira, Black Basta, LockBit have historically gone after Veeam first), so treat as urgent (T1210, T1486). Upgrade to 12.3.2.4854; where patching is blocked, Veeam's hardening guidance includes removing the backup server from the domain.