Veeam has released an urgent fix for a critical flaw in Backup & Replication version 12 that lets an attacker run their own code on your backup server. The vulnerability (CVE-2026-44963, scored 9.4 out of 10) affects all v12 builds up to 12.3.2.4465 and is fixed in version 12.3.2.4854, released Tuesday, as reported by BleepingComputer. The catch: any domain user with low privileges can exploit it — no admin rights needed. Only domain-joined backup servers are affected, and version 13 isn’t impacted at all.

Here’s why this one matters more than most. Ransomware crews go after Veeam servers first, because deleting your backups before encrypting your files is what forces you to pay. Four previous Veeam flaws have ended up on CISA’s actively-exploited list, all abused by ransomware gangs. And plenty of Australian businesses run Veeam exactly the way this flaw needs — joined to the Windows domain, against Veeam’s own long-standing advice. There’s no confirmed exploitation yet, but attackers routinely reverse-engineer patches within days.

What to do: if you run Veeam Backup & Replication v12, update to 12.3.2.4854 today. Then ask a harder question — is your backup server joined to your domain? If it is, talk to your IT provider about moving it to a workgroup or locking down who can reach it. Your backup server should be the hardest box on your network to touch, not the easiest.

Not sure how your backups are set up? All IT can review your backup and disaster recovery configuration as part of a broader cybersecurity check.