Critical RCE Vulnerability in Veeam Backup & Replication Exposes Enterprise Systems A severe security flaw, tracked as CVE-2026-44963, has been disclosed in Veeam Backup & Replication, a widely used enterprise backup solution. The vulnerability, rated 9.4 (Critical) on the CVSS v4 scale, allows authenticated domain users to execute arbitrary code remotely on affected backup servers, significantly increasing the risk of compromise for organizations relying on Veeam for data protection. Discovered by security researcher Sina Kheirkhah (@SinSinology) of WatchTowr, the flaw enables remote code execution (RCE) with minimal privileges any domain user can exploit it. The vulnerability only affects domain-joined backup servers, excluding workgroup configurations, which Veeam has previously noted as a more secure deployment option. Affected Versions: - Veeam Backup & Replication 12.x (all versions through 12.3.2.4465) - Earlier 12.1, 12.2, and 12.3 releases (prior to build 4854) - Unsupported versions (assumed vulnerable) Unaffected Versions: - Veeam Backup & Replication 13.x (due to architectural changes) Veeam released a patch (12.3.2.4854) on June 9, 2026, urging immediate upgrades. Given the critical severity and low exploitation threshold, unpatched systems are at high risk of targeted attacks, particularly as threat actors reverse-engineer the fix. Backup servers are prime targets for ransomware operators, making rapid remediation essential for enterprise security teams.

Veeam Patches High-Severity Privilege Escalation Flaw in Backup & Replication Platform Veeam has resolved a high-severity vulnerability (CVE-2026-32996) in its Backup & Replication platform that could allow attackers to escalate privileges on compromised systems. The flaw, rated 7.3 on the CVSS v3.1 scale, affects Veeam Backup & Replication version 13.0.1.2067 and all earlier version 13 builds, specifically targeting the Veeam Agent for Microsoft Windows component. Exploiting this vulnerability enables attackers with limited access to gain elevated permissions, potentially executing arbitrary commands, disabling security controls, or moving laterally within a network. Such privilege escalation flaws are particularly dangerous in real-world attacks, as they often follow initial breaches such as phishing or credential theft to expand control over enterprise systems. The issue was reported via HackerOne by a researcher affiliated with Alibaba, demonstrating the role of coordinated vulnerability disclosure in strengthening security. Veeam addressed the flaw in version 13.0.2.29, released as part of its latest update cycle. The company disclosed the vulnerability in advisory KB4852 on May 27, 2026, warning that attackers frequently reverse-engineer patches to target unpatched systems, increasing risks for organizations that delay updates. Backup and recovery systems are prime targets for ransomware groups, as compromising them can prevent data restoration and amplify attack impact. Veeam has emphasized the need for immediate patching, alongside best practices such as least-privilege access, activity monitoring, and network isolation for backup environments. The company maintains a Vulnerability Disclosure Program and conducts internal audits to proactively mitigate risks.

AI-Powered Cyberattacker Compromises 600+ FortiGate Devices in Global Campaign A recent investigation by Amazon Threat Intelligence has exposed a new threat: an AI-augmented cybercriminal with limited technical expertise who breached over 600 FortiGate security devices across 55 countries in just 38 days (11 January–18 February 2026). The Russian-speaking attacker leveraged commercial AI services to automate and scale their operations, transforming basic hacking techniques into a high-efficiency intrusion campaign. ### How the Attack Unfolded The attacker used AI-generated Python and Go scripts to scan the internet for exposed management ports (443, 8443, 10443, 4443) a tactic that eliminated the need for manual reconnaissance. Rather than deploying sophisticated exploits, they relied on AI-assisted brute-forcing of common or stolen passwords to gain initial access. Once inside, the attacker employed AI to map internal networks and deploy well-known offensive tools like Meterpreter and Mimikatz to extract credentials from Active Directory servers. A key objective was locating Veeam Backup & Replication servers, enabling them to disable data recovery options a tactic that could force victims into paying ransoms by eliminating their ability to restore systems. ### AI’s Double-Edged Role While AI amplified the attacker’s capabilities, it also became a critical weakness. The AI-generated code was effective for simple tasks but failed under complex conditions, particularly when attempting to exploit vulnerabilities like CVE-2019-7192 and CVE-2023-27532. The campaign’s success was concentrated in regions with weaker security postures, including South Asia, Southeast Asia, Latin America, West Africa, and Northern Europe. ### Defensive Takeaways The incident underscores that AI-driven attacks are lowering the barrier to entry for cybercriminals, but traditional security measures remain effective. The attacker’s failures against patched systems and advanced exploits highlight the importance of basic cyber hygiene, including: - Restricting public access to management ports. - Enforcing Multi-Factor Authentication (MFA) to neutralize password-based attacks. - Avoiding password reuse between security devices and corporate networks. - Promptly applying security patches to close known vulnerabilities. The case serves as a stark reminder that even low-skilled threat actors can inflict widespread damage when armed with AI while also demonstrating that fundamental security practices can still thwart such campaigns.

Veeam Patches Critical RCE Flaws in Backup & Replication Software Veeam has released security updates to fix multiple vulnerabilities in its Backup & Replication software, including a critical remote code execution (RCE) flaw tracked as CVE-2025-59470 (CVSS 9.0). The vulnerability allows Backup or Tape Operators—roles with elevated privileges—to execute arbitrary code as the postgres user by sending malicious interval or order parameters. While Veeam classified the issue as high severity (despite its CVSS score), it noted that exploitation risks are mitigated if customers follow recommended security guidelines. The company also addressed three additional flaws in the same product: - CVE-2025-55125 (CVSS 7.2) – Backup/Tape Operators can achieve RCE as root via a malicious backup configuration file. - CVE-2025-59468 (CVSS 6.7) – Backup Administrators can execute code as postgres using a crafted password parameter. - CVE-2025-59469 (CVSS 7.2) – Backup/Tape Operators can write files as root. All vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and earlier 13.x versions, with patches available in version 13.0.1.1071. While there is no evidence of active exploitation, past flaws in Veeam software have been targeted by threat actors, underscoring the urgency of applying updates.

The attack on Veeam involved a multi-stage payload delivery via fake CAPTCHA pages, deploying information stealers to harvest authentication tokens, browser cookies, and stored credentials. Attackers bypassed MFA, escalated privileges via a SOCKS proxy DLL (loaded via `rundll32.exe`), and created a backdoor admin account (Supportt) to maintain persistence. They reset the legitimate Administrator account password, preventing recovery. Extensive reconnaissance was conducted using tools like ScreenConnect, NetScan, and AnyDesk (deployed via ATERA Networks) to map the network and identify privileged accounts (e.g., Domain Admins, service accounts).The attackers targeted Veeam’s backup infrastructure, extracting credentials from SQL databases (e.g., `VeeamBackup.[dbo].[Credentials]`) using PowerShell scripts with base64-encoded payloads. Compromised credentials included Domain Admins, Exchange servers, SQL databases, and file servers, enabling lateral movement. Defense evasion was achieved via BYOVD (Bring Your Own Vulnerable Driver) using eskle.sys (linked to Chinese gaming cheat tools) to disable security solutions. The attack compromised domain controllers, backup repositories, and critical servers, posing severe operational and security risks.

Veeam has released security updates to fix several vulnerabilities in its Backup & Replication (VBR) software, including a critical remote code execution (RCE) flaw (CVE-2025-23121). This vulnerability can be exploited by authenticated domain users to gain remote code execution on the Backup Server. The flaw affects VBR 12 or later and was fixed in version 12.3.2.3617. Many companies have ignored Veeam's best practices, making their backup servers vulnerable. Ransomware gangs have targeted VBR servers to steal data and block restoration efforts. Recent exploits include the deployment of Frag, Akira, and Fog ransomware. Historically, the Cuba ransomware gang and FIN7 have also exploited VBR vulnerabilities.

Ransomware Recovery Gaps Expose Overconfidence in Cyber Resilience, Veeam Report Finds A recent survey of over 900 security professionals spanning C-suite and frontline roles reveals a stark disconnect between perceived and actual cyber resilience, particularly among ransomware victims. Conducted by Veeam Software for its Data Trust and Resilience Report 2026, the findings highlight critical vulnerabilities as organizations accelerate digital transformation and AI adoption. Despite 90% of security leaders expressing high confidence in their ability to recover from cyber incidents within defined timeframes, the reality paints a different picture. Only 28% of ransomware-hit organizations fully recovered all affected data in the past 12 months. Another 44% recovered less than 75% of their data, while 29% faced lasting data loss, extended downtime, or ongoing business disruption. Among all organizations that experienced a cyber incident, over 40% reported customer disruption or financial losses, with nearly 30% suffering data loss or operational downtime. The report attributes this overconfidence to reliance on untested backup systems, policies, or insurance rather than validated recovery capabilities. While 69% of respondents claimed their recovery time objectives (RTOs) aligned with business continuity goals, real-world outcomes suggest these measures often fail under pressure. 56% of ransomware attacks resulted in successful data encryption or exfiltration, underscoring the financial and operational toll particularly for Indian businesses subject to the Digital Personal Data Protection Act 2023, which imposes regulatory penalties for breaches. Compounding the challenge is the rapid adoption of agentic AI, where systems autonomously move and act on data with minimal human oversight. The report warns that AI integration is outpacing organizations’ ability to secure underlying data flows, expanding attack surfaces and governance gaps. This "agentic era" further widens the divide between perceived readiness and actual resilience. The report identifies four key traits of organizations with stronger recovery outcomes: enterprise-wide data visibility, enforced security controls (not just policies), regularly tested recovery capabilities, and executive alignment on risk ownership. The findings emphasize that true resilience demands more than theoretical safeguards it requires demonstrated, tested recovery processes under realistic conditions.

Cybersecurity Roundup: State-Backed Threats, Banking Malware, and Major Takedowns Recent cybersecurity developments highlight escalating threats from state-sponsored actors, sophisticated banking malware, and large-scale law enforcement operations. Iran’s Cyber Operations Expand with Criminal Partnerships Research from Check Point reveals Iran’s Ministry of Intelligence and Security is collaborating with cybercriminal groups to enhance its cyber capabilities. Iranian APTs like Void Manticore are leveraging tools such as the Rhadamanthys infostealer and engaging in ransomware-as-a-service (RaaS) ecosystems. This strategy obscures attribution by sourcing malware, infrastructure, and initial access from underground markets rather than developing proprietary tools. New Rust-Based Malware Targets Brazilian Banks Brazilian firm ZenoX uncovered VENON, a Rust-based banking trojan targeting 33 financial institutions in Brazil. The malware spreads via DLL side-loading, ClickFix social engineering, and employs nine evasion techniques. It monitors active windows, hijacks shortcuts, and deploys fake overlays to steal credentials particularly from Itaú’s banking app. VENON can also reverse modifications to avoid detection. England Hockey Investigates Ransomware Breach The AiLock ransomware gang claims to have stolen 129GB of data from England Hockey, threatening to leak it unless a ransom is paid. The organization, which oversees 800+ clubs and 150,000 players, is working with law enforcement and cybersecurity experts to assess the breach. AiLock, active since April 2025, uses double-extortion tactics and advanced encryption. Storm-2561 Exploits SEO Poisoning for Credential Theft Microsoft Threat Intelligence reports that Storm-2561 is distributing fake VPN clients via SEO poisoning. Users searching for legitimate VPN software are redirected to malicious sites hosting ZIP files with MSI installers that side-load the Hyrax infostealer. The malware, digitally signed to appear legitimate, captures VPN credentials and maintains persistence via the Windows RunOnce key. Hive0163 Deploys AI-Assisted Malware IBM X-Force researcher Golo Mühr revealed that Hive0163 is using Slopoly, an AI-generated malware, to maintain persistence in ransomware attacks. Deployed via PowerShell scripts and scheduled tasks, Slopoly acts as a backdoor, beaconing system data and executing commands from a C2 server. While AI helped generate structured code, the malware relies on standard persistence techniques. Hive0163 frequently uses ClickFix, malvertising, and access brokers to deliver threats like NodeSnake, Interlock RAT, and Interlock ransomware. Operation Lightning Disrupts SocksEscort Proxy Network A multinational law enforcement operation, Operation Lightning, dismantled the SocksEscort residential proxy network. Authorities seized 34 domains and 23 servers across seven countries and froze $3.5 million in cryptocurrency. The service, which infected routers with AVRecon malware, sold access to 369,000 compromised IPs used for fraud, ransomware, and account takeovers. The network had 124,000 users and caused tens of millions in losses. Veeam Patches Critical RCE Flaws in Backup Software Veeam released patches for multiple vulnerabilities in its Backup & Replication software, including four critical remote code execution (RCE) flaws that could allow low-privileged users to execute code on backup servers. The bugs also enable privilege escalation and credential theft. Fixes are included in versions 12.3.2.4465 and 13.0.1.2067. Veeam warned that attackers often reverse-engineer patches to target unpatched systems, noting backup servers are prime ransomware targets. PixRevolution Trojan Hijacks Brazil’s PIX Payments Researchers at Zimperium discovered PixRevolution, an Android banking trojan that intercepts Brazil’s PIX instant payment system by replacing recipient payment keys during transactions. The malware abuses Android accessibility permissions to monitor screens, stream activity to a command server, and allow real-time intervention by attackers. It spreads via fake Google Play store pages and targets Brazil’s PIX network, used by 76% of Brazilians and processing over three billion transactions monthly.

Veeam’s 2025 Ransomware Report Reveals Persistent Threats and Gaps in Preparedness Veeam’s 2025 Ransomware Trends and Proactive Strategies Report highlights the ongoing cybersecurity challenges faced by global organizations, with nearly 69% of surveyed companies including respondents from Australia experiencing ransomware attacks in the past year. While this marks a slight improvement from the previous year’s 75%, the report underscores that cyber threats remain pervasive and adaptive. Despite progress in defenses, perceived preparedness often fails to match reality. Among Australian organizations, confidence in readiness dropped by 17% after an attack, with only 43% feeling fully prepared post-incident. Key vulnerabilities include over 70% lacking a detailed containment plan and fewer than 20% having a defined ransom payment process. Veeam CEO Anand Eswaran noted that while organizations are strengthening defenses, 70% still fell victim to attacks, with only 10% recovering over 90% of their data and 57% recovering less than half. The report warns that ransomware will continue to evolve, with smaller, independent threat actors filling the void left by disrupted groups like LockBit and BlackCat. A notable shift is the rise in data exfiltration attacks, where cybercriminals steal sensitive information rather than encrypting it. Additionally, ransom payments declined in 2024, with 36% of affected organizations refusing to pay, and 82% of those that did negotiating lower amounts. This trend aligns with new regulatory pressures discouraging ransom payments. The report identifies collaboration between IT and security teams, law enforcement engagement, and robust backup strategies as critical to resilience. Successful organizations follow the 3-2-1-1-0 rule maintaining multiple, immutable, and malware-free backups while only 44% of response playbooks include backup verifications, and just 30% define a clear chain of command. A key finding is the disconnect between perceived and actual preparedness: 69% of victims believed they were prepared before an attack, but confidence dropped by over 20% afterward, with CIOs reporting a 30% decline compared to 15% among CISOs. The report emphasizes the need for proactive strategies, cross-departmental alignment, and regular training to bridge these gaps.

Ransomware operators have exploited a critical vulnerability in Veeam Backup & Replication, identified as CVE-2024-40711, to execute arbitrary code and deploy malware. This vulnerability allowed attackers to create rogue accounts with administrator privileges. These compromised accounts were then used to deploy ransomware, specifically Fog and Akira variants, and in some instances to exfiltrate data from the network. The attack vectors included access through VPN gateways without multifactor authentication, often with outdated software. The severity of the vulnerability and the sophistication of the attacks indicate a significant security oversight, resulting in considerable risk to data integrity and availability for affected organizations.

The Akira ransomware group exploited CVE-2024-40766, an improper access control flaw in SonicWall SonicOS SSL VPN, to breach organizations in under four hours. Attackers reused stolen credentials—harvested months prior from unpatched or improperly secured Gen 6-to-Gen 7 firewall upgrades—bypassing MFA via misconfigured SSLVPN Default Users Group settings and OTP manipulation. Once inside, they conducted lateral movement via SMB (Impacket), RDP, and Domain Controller compromise, exfiltrating data using WinRAR, rclone, and FileZilla before deploying Akira ransomware. The attack disabled EDR tools, deleted Shadow Copies, and cleared event logs, crippling recovery efforts. Victims spanned multiple industries, with SonicWall’s cloud backup service also targeted separately. The breach highlights credential reuse risks, even on patched systems, and the speed of modern ransomware operations. Organizations were urged to reset all SSL VPN/LDAP credentials and monitor for VPS logins, SMB anomalies, and unauthorized archival tools to mitigate future intrusions.

Veeam Software, a global leader in data protection and ransomware recovery, highlighted the importance of cyber resilience in light of recent findings. According to the Veeam Data Protection Trends Report, a staggering 76% of organizations have experienced a cyberattack within the last year. This statistic underscores the critical need for robust data protection strategies to safeguard against potential threats. As cyberattacks become more prevalent, organizations must prioritize the security and recoverability of their data. Veeam's commitment to empowering businesses with advanced data protection and recovery solutions is more vital than ever. Through its ProPartner Network, Veeam collaborates with partners worldwide to ensure organizations can effectively combat cyber threats and maintain operational continuity. The importance of cyber resilience is magnified by the increasing frequency and sophistication of cyberattacks, making Veeam's solutions essential for today's digital landscape.

Akira Ransomware Group Accelerates Attacks, Completing Full Compromise in Under an Hour Security researchers at Halcyon have identified a significant escalation in ransomware attack speed, with the Akira group now executing full attack lifecycles from initial access to data encryption in as little as one hour. The group, suspected to include former Conti hackers, has emerged as one of the most sophisticated ransomware operations since its debut in March 2023. Akira primarily gains entry by exploiting vulnerabilities in internet-facing VPN appliances and backup solutions, particularly those without multi-factor authentication (MFA). Targeted vendors have included SonicWall, Veeam, and Cisco, though the group also employs credential theft, spearphishing, password spraying, and initial access brokers (IABs) to breach networks. Once inside, Akira follows a double-extortion model, exfiltrating data before encrypting files. To evade detection, the group disables security software and leverages living-off-the-land tools like FileZilla, WinRAR, WinSCP, and RClone for data staging and encryption. Notably, Akira uses intermittent encryption scrambling as little as 1% of a file to maximize impact while minimizing detection time. Halcyon’s report highlights Akira’s disciplined operational tempo, with attacks typically completed in under four hours and some in less than 60 minutes. The group’s stealthy approach, reliance on zero-day exploits, and use of compromised credentials allow it to maintain covert access while rapidly encrypting systems. Since its emergence, Akira has reportedly generated $244 million in ransom payments, according to U.S. government estimates.

Ransomware Attacks Hit 75% of Organizations in 2023, Veeam Report Reveals A staggering 75% of organizations experienced at least one ransomware attack in 2023, according to Veeam’s Data Protection Trends Report 2024. The study, which surveyed 1,200 IT leaders and data protection professionals, found that 26% of organizations were hit four or more times surpassing the 25% that reported no attacks at all. Veeam’s VP of Market Strategy, Jason Buffington, warned that ransomware is an inevitability for most businesses, with some attacks going undetected for up to 200 days before activation. He noted that organizations claiming to have avoided attacks may already be compromised without realizing it. Beyond ransomware, cyber-attacks were the leading cause of IT outages, responsible for 40% of disruptions and 18% of the most damaging incidents. Unlike other outage triggers such as cloud failures, human error, or natural disasters cyber-attacks are deliberate, designed to inflict widespread damage. However, Veeam’s Dave Russell emphasized that while cyber threats dominate concerns, businesses must also prepare for non-malicious risks like hardware failures and accidental data loss. The report underscores the growing sophistication of ransomware campaigns and the need for comprehensive disaster recovery strategies beyond cybersecurity alone.

Cloud data management company Veeam Software Inc. exposed customer data via a misconfigured cloud instance. 200 gigabytes of data relating to more than 440 million customer records found online. The server was left publicly searchable and wide open until September 9th, when it was quietly secured after several notification attempts. The data is said to consist of marketing leads which did included business contact details that could be used for nefarious purposes. Leaving a database containing 440 million customer emails exposed without a password makes these bad actors’ lives even easier.