Veeam released an emergency patch on June 9 for a critical remote code execution flaw (CVE-2026-44963) in Backup & Replication 12.x — the backup software running on the majority of small-business servers in York County. The bug carries a 9.4 CVSS score and lets any low-privilege domain user take over the backup server, which is exactly the asset ransomware crews target first when they want to make sure you can't recover without paying.
What happened
On June 9, 2026, Veeam published an advisory and patch for CVE-2026-44963, a flaw that enables authenticated domain users to execute arbitrary code remotely on backup servers, with a CVSS v4 score of 9.4 — firmly in the critical severity tier. The vulnerability was reported by WatchTowr researcher Sina Kheirkhah.
The bug affects Veeam Backup & Replication 12.3.2.4465 and all earlier version 12 builds, and was fixed in version 12.3.2.4854. Version 13.x is not affected due to architectural changes Veeam introduced in that release.
The catch that makes this dangerous: the vulnerability only impacts domain-joined backup servers. Organizations running Veeam in a workgroup configuration rather than an Active Directory domain environment are not affected by this specific flaw. Unfortunately, many companies have joined their Veeam servers to a Windows domain, ignoring Veeam's long-standing best practices.
Why this is a small-business problem, not just an enterprise problem
Backup servers are the single most valuable target on your network — and ransomware crews know it. Backup systems represent the organization's last line of defense against a ransomware event. An adversary who compromises backup infrastructure before deploying encryption removes the victim's ability to recover independently, dramatically increasing ransom leverage and enabling double-extortion scenarios.
This is not a hypothetical. CISA has flagged four separate Veeam Backup and Replication flaws as actively exploited in attacks, all abused by ransomware gangs. In November 2024, Sophos X-Ops reported that several ransomware operations — including the Akira, Fog, and Frag gangs — had weaponized another critical VBR RCE flaw (CVE-2024-40711).
And the clock is already ticking on this new one. While there are no reports of active exploitation yet, Veeam warned that attackers will often begin developing exploits as soon as patches are released. Translation: if your Veeam server is still on a vulnerable 12.x build by the end of next week, assume someone is scanning for it. A real managed IT services lineup includes patch management on critical infrastructure exactly so business owners aren't watching CVSS scores at 9 PM.
What your IT provider should be doing this week
If you run Veeam Backup & Replication — or your MSP runs it on your behalf — here's the short checklist:
1. Upgrade to Veeam Backup & Replication 12.3.2.4854, released June 9, 2026, via Veeam KB4696. Treat this as a top priority.
2. Confirm whether your backup server is domain-joined. Isolate backup infrastructure from general network access by enforcing strict network segmentation, restricting management interfaces to known administrative hosts, and removing any internet-facing exposure of backup consoles or APIs.
3. Enforce multi-factor authentication on all access pathways into backup environments, including VPN gateways, remote desktop sessions, and backup management consoles, to eliminate the risk of compromised domain credentials being used to trigger RCE.
4. Test a restore. A backup you've never restored from is a hope, not a backup.
If your provider can't tell you within an hour what version of Veeam you're on and whether the server is domain-joined, that's its own problem worth fixing.
What York Businesses Should Do
If you're a York County business owner running Veeam — and most local manufacturers, accounting firms, and medical practices either use it directly or have an MSP using it on the back end — get written confirmation this week that build 12.3.2.4854 is installed. York Computer is auditing every Veeam deployment we manage for affected clients; if you're not sure who owns this patch at your shop, that uncertainty is the real risk.