Veeam Backup & Replication 12.x authenticated domain-user deserialization RCE (CVSS 9.4); fixed 12.3.2.4854

cve · CVE-2026-44963

Coverage timeline

first 2026-06-10 → last 2026-06-10

Briefs

1 distinct

Sources cited

5 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-10CTI Daily Brief — 2026-06-10
trending_vulnsFirst coverage. watchTowr (Kheirkhah); domain-joined only; v13 unaffected; no ITW.

Where this entity is cited

trending_vulns1

Source distribution

veeam.com2 (33%)
thehackernews.com1 (17%)
cert.ssi.gouv.fr1 (17%)
cybersecuritynews.com1 (17%)
docs.gitlab.com1 (17%)

Related entities

Akira — ransomware operator targeting EU healthcare and SME via edge-device CVE chains and intermittent-encryption EDR evasion
actoractor:Akira×1

External references

NVD · cve.org · CISA KEV

All cited sources (6)

Items in briefs about Veeam Backup & Replication 12.x authenticated domain-user deserialization RCE (CVSS 9.4); fixed 12.3.2.4854 (1)

CVE-2026-44963 — Veeam Backup & Replication: authenticated domain-user deserialization RCE on the backup server (CVSS 9.4)

From CTI Daily Brief — 2026-06-10 · published 2026-06-10 · view item permalink →

Veeam patched CVE-2026-44963 (CVSS v4 9.4, CWE-502) on 9 June: any authenticated domain user — no elevated Veeam privilege required — can execute code on the Backup Server when it is domain-joined; workgroup servers are unaffected (Veeam, 2026-06-09). It affects all v12 builds up to 12.3.2.4465 (fixed in 12.3.2.4854); v13.x is not affected. Reported by watchTowr's Sina Kheirkhah (The Hacker News, 2026-06-09). No ITW exploitation is confirmed, but backup infrastructure is a perennial pre-encryption ransomware target (Akira, Black Basta, LockBit have historically gone after Veeam first), so treat as urgent (T1210, T1486). Upgrade to 12.3.2.4854; where patching is blocked, Veeam's hardening guidance includes removing the backup server from the domain.