Summary
- NHS England has issued a cyber alert for CVE-2026-44963 in Veeam Backup & Replication.
- Veeam says the issue affects version 12 builds before 12.3.2.4854 and does not affect version 13.x builds.
- Backup servers are high-value resilience infrastructure, particularly in ransomware recovery and disaster response.
NHS England has issued a cyber alert for a critical vulnerability in Veeam Backup & Replication that could allow authenticated attackers to execute remote code on affected backup servers.
The alert covers CVE-2026-44963, a remote code execution vulnerability with a CVSS v4 base score of 9.4. NHS England said successful exploitation could allow a remote authenticated attacker with domain user privileges to execute code on affected Veeam Backup & Replication servers. The affected versions are all builds before 12.3.2.4854, with end-of-life versions considered vulnerable. Version 13.x builds are not affected.
Veeam published its own advisory on 9 June, saying all vulnerabilities documented in the article were resolved in Veeam Backup & Replication 12.3.2.4854. The company said the issue affects domain-joined backup servers and warned that, once a vulnerability and patch are disclosed, attackers may attempt to reverse-engineer the patch to exploit unpatched deployments.
NHS England’s cyber alert urges affected organisations to review Veeam’s advisory and apply the relevant update as soon as possible. No active exploitation was confirmed in the NHS alert, but the affected product category gives the vulnerability operational weight beyond an ordinary patch cycle.
Backup servers sit inside the control layer that organisations rely on when incidents have already gone badly. They hold credentials, service permissions, infrastructure knowledge, retention policies, backup repositories, recovery jobs, and disaster recovery workflows. If compromised, they can undermine the same recovery capability that organisations expect to use after ransomware, destructive malware, insider abuse, or operational failure.
The domain-user requirement does not make the issue low risk. Many enterprise environments still have broad domain membership, legacy privilege patterns, and service accounts with more access than intended. An attacker that has already obtained a low-privilege domain foothold may view backup infrastructure as a route to higher-value systems, data repositories, or recovery suppression.
Healthcare and other regulated sectors have a narrower tolerance for that exposure. A ransomware incident that damages production systems is already serious. A ransomware incident that also compromises backup servers can extend downtime, weaken recovery confidence, and force organisations into slower, manual, or partial restoration. In healthcare, unavailable systems can affect care delivery, diagnostics, appointments, prescriptions, and operational coordination.
The advisory also reinforces the need to govern backup platforms as privileged infrastructure. They require access control, segmentation, monitoring, hardened authentication, tested recovery procedures, immutability where appropriate, and clear ownership. Patching is necessary, but it does not replace limiting who can reach backup management planes and how administrative actions are authorised.
Organisations using Veeam should verify exposed versions, identify domain-joined backup servers, prioritise the 12.3.2.4854 update, and review logs for unusual access or administrative activity. Unsupported versions should be treated as vulnerable and moved into a supported upgrade path.
The alert places recovery systems squarely inside the threat model. Backup infrastructure is often described as the last line of defence, which makes it a high-value target once an attacker has credentials and time inside a network.





