External risk intelligence

Remote Code Execution in Backup Server for Authenticated Domain Users

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-44963

A critical vulnerability allows an authenticated domain user to execute arbitrary code on the Backup Server, potentially impacting the confidentiality, integrity, and availability of backup data and services. This issue requires an authenticated domain user to exploit, and infrastructure or security teams are likely re

2Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-44963

The vulnerability affects a Backup Server and requires an authenticated domain user to exploit. Backup infrastructure is typically deployed within internal network segments, protected by domain authentication and restricted access controls, making public internet exposure uncommon.

PCI scan relevance

PCI Relevance for CVE-2026-44963

Yes

CVE-2026-44963 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows remote code execution, which can lead to an automatic failure in PCI ASV scans and requires remediation before attestation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified that could allow a remote attacker with existing domain access to execute arbitrary code on the Backup Server. This issue impacts the confidentiality, integrity, and availability of backup data and services.

  • Authenticated users can run malicious code remotely.
  • Protects sensitive backup data and services.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with existing authenticated access to the domain could target the Backup Server. This exposure allows the attacker to interact with a feature that, when triggered, could lead to the execution of arbitrary code on the server.

  • Requires authenticated domain access.
  • Targets the Backup Server.
  • Potential for remote code execution.

Live Threat

Current exploitation, exposure, and threat context

An authenticated domain user could execute arbitrary code on the Backup Server. This could impact the integrity and confidentiality of backup data and services.

  • Backup server system and data.
  • Authenticated user gains remote code execution.
  • Compromised backup integrity and confidentiality.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affecting the Backup Server requires an authenticated domain user, suggesting that infrastructure and security teams are primarily responsible for remediation. The first practical step involves identifying all instances of the Backup Server, assessing their reachability and business criticality, and then pinpointing the accountable owner to plan a risk-based remediation strategy.

  • Infrastructure or security teams own this.
  • Verify server reachability and criticality.
  • Plan and execute remediation.

Frequently asked questions

What is the Backup Server mentioned in CVE-2026-44963?

The Backup Server is a central component in enterprise environments responsible for storing, managing, and protecting critical organizational data. It serves as the primary hub for data restoration tasks and infrastructure availability, acting as a protected repository that holds copies of vital system and application information.

How would you describe the weakness in CVE-2026-44963?

This vulnerability is classified as CWE-502, which involves insecure deserialization. In plain terms, the software takes data from an untrusted source and attempts to reconstruct it into an object without sufficient validation. An attacker can manipulate this process to force the server to execute unintended, malicious code, granting them control over the system.

Do I need to be an administrator to trigger this bug?

No, you do not need administrative privileges, but the vulnerability does require an authenticated domain user account to be successfully triggered. Actions performed by unauthenticated users or guests do not trigger this specific flaw, as the attack path relies on the ability to interact with the server as a recognized user within the domain.

Is my Backup Server at high risk according to Halo Surface Signal?

Halo Surface Signal identifies this risk as unlikely for most organizations. Because the Backup Server is typically isolated within internal network segments and relies on domain-level authentication, it is rarely exposed directly to the public internet. The need for existing domain credentials acts as a significant barrier against broad, automated internet-based attacks.

What should I do first to manage this CVE?

Your first step is to locate all instances of the Backup Server within your environment. Once identified, evaluate their network reachability and business criticality to understand how they are protected. Determine who is responsible for these systems so you can collaborate on a risk-based plan to apply the necessary security updates once they become available.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified