Security researchers have discovered a high-severity vulnerability in Veeam Backup & Replication, tracked as CVE-2026-44963, that could allow authenticated domain users to execute remote code on backup servers.
The flaw is caused by insecure BinaryFormatter deserialization, a long-known security risk in .NET applications. According to researchers, the issue continues a pattern of similar vulnerabilities affecting Veeam’s .NET Remoting components.
How the Vulnerability Works
Veeam Backup & Replication is widely used by organizations to manage backup, disaster recovery, and replication across virtual, physical, and cloud environments.
The vulnerability affects the Veeam Backup Service, which exposes a .NET Remoting HTTP endpoint on TCP port 8000.
Instead of allowing only trusted object types, the service relies on a blacklist-based filtering mechanism. While known dangerous classes are blocked, any unlisted serializable class is still accepted, creating an opportunity for attackers to bypass the protection.
Low-Privilege Users Can Exploit the Flaw
Researchers found that the vulnerability can be exploited by any authenticated domain user.
The application only verifies whether a user belongs to the standard Windows User group, meaning administrative privileges are not required to reach the vulnerable component.
An attacker can abuse this weakness to execute malicious serialized objects and ultimately run arbitrary commands on the backup server.
Exploitation Process
The attack follows a sequence of interactions with the Veeam service before delivering the malicious payload.
During exploitation, the attacker:
- Creates a restore session.
- Initializes the backup session.
- Sends a malicious BinaryFormatter payload.
- Triggers insecure deserialization.
- Executes arbitrary commands on the server.
Researchers demonstrated that the exploit abuses System.Data.DataSet deserialization to instantiate ObjectDataProvider, which can invoke Process.Start() and execute attacker-controlled commands.
Because the Veeam Backup Service typically runs with SYSTEM privileges, successful exploitation can result in full control of the backup server.
Why This Vulnerability Exists
The root cause is Veeam’s continued use of BinaryFormatter, a serialization technology that Microsoft has considered unsafe and deprecated since .NET 5.
Researchers explain that relying on blocklists is not a long-term solution because attackers can continue discovering new classes capable of bypassing the restrictions.
Previous vulnerabilities, including CVE-2024-40711 and CVE-2025-23120, were based on the same underlying weakness.
Patch and Mitigation
Veeam addressed the issue in version 12.3.2.4854 (KB4696) by adding the newly discovered gadget class to its BinaryFormatter blacklist.
However, researchers note that the update does not remove BinaryFormatter or redesign the underlying deserialization process.
In contrast, Veeam Backup & Replication 13.x removes the BinaryFormatter-based implementation entirely, eliminating this class of vulnerabilities.
Security Recommendations
Organizations using Veeam Backup & Replication 12.x should take immediate action to reduce the risk of exploitation.
Recommended security measures include:
- Apply the latest Veeam security updates.
- Restrict access to TCP port 8000.
- Limit network exposure of backup servers.
- Consider deploying backup servers in workgroup mode instead of domain-joined environments where appropriate.
- Monitor backup servers for suspicious deserialization or remote execution activity.
Because backup infrastructure is frequently targeted by ransomware groups, organizations should prioritize patching this vulnerability to prevent attackers from gaining control over critical backup systems.