Skip to main content

Veeam Backup & Replication EUVD-2026-35868

| CVE-2026-44963 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-09 hackerone GHSA-qgvw-vfmj-prrg
Deserialization RCE Backup And Replication
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 09, 2026 - 23:24 vuln.today
CVSS changed
Jun 09, 2026 - 23:22 NVD
9.4 (CRITICAL)
CVE Published
Jun 09, 2026 - 22:27 nvd
CRITICAL 9.4

DescriptionNVD

A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.

AnalysisAI

Remote code execution in Veeam Backup & Replication enables an authenticated domain user to execute arbitrary code on the Backup Server, with CVSS 4.0 score of 9.4 reflecting high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream systems. The vulnerability is tagged as a deserialization flaw (CWE-502), and while no public exploit is identified at time of analysis, the low attack complexity and only-low-privilege requirement make this a high-priority patching event for any environment running Veeam in a domain-joined configuration.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-priv domain credentials
Delivery
Reach Veeam Backup Server service port
Exploit
Send crafted serialized .NET payload
Install
Trigger deserialization gadget chain
C2
Execute code as Veeam service account
Execute
Harvest backup infrastructure credentials
Impact
Destroy backups and deploy ransomware
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the Veeam Backup Server's management/RPC service surface (per AV:N in the CVSS vector), and (2) valid credentials for any authenticated domain user in the Active Directory domain to which the Backup Server is joined (PR:L, and the description explicitly names 'an authenticated domain user' as the actor). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is high and concrete: CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N gives network reachability, low complexity, no attack requirements, low privileges (a regular domain user account suffices), and no user interaction - a near-worst-case profile aside from needing some authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has phished or otherwise obtained any low-privilege domain user account establishes a network connection to the Veeam Backup Server's exposed management service, sends a crafted serialized .NET payload to a vulnerable endpoint, and triggers a gadget chain during deserialization that executes attacker-supplied commands as the Veeam service account (typically SYSTEM or a privileged service identity). The attacker then uses the Backup Server's stored credentials and infrastructure access to enumerate and destroy backup repositories, deploy ransomware to virtualization hosts, and pivot into Active Directory - the canonical ransomware-against-backups kill chain.
Remediation Patch available per vendor advisory - apply the fix documented in Veeam KB4869 (https://www.veeam.com/kb4869); the input data does not enumerate the exact patched build number, so the KB article should be consulted directly to confirm the target version for your installed release branch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Enumerate all Veeam Backup & Replication servers in production; document domain users and service accounts with Backup Server access; audit recent access logs for anomalous activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-35868 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy