DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL — 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL — 🚨 ServiceNow discloses June 5 security update tied to anomalous activity — KB3067321.… /// @MsftSecIntel CRITICAL — MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL — ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL — The '340M OnlyFans' listing on the leak forum is a compiled corpus — seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/ARCHIVE/CVE
DMZ INTEL DESK//FILED: 2026-06-11//14:42Z
CRITICAL#cve

CVE-2026-44963 (CVSS 9.4): Any Domain User Can RCE Veeam Backup & Replication 12.x — Ransomware Weaponization Expected Imminently

WatchTowr researcher Sina Kheirkhah disclosed CVE-2026-44963, a critical RCE flaw in Veeam Backup & Replication affecting all 12.x builds up to 12.3.2.4465 on domain-joined deployments; any authenticated domain user — not just an admin — can execute arbitrary code on the backup server. Veeam patched in build 12.3.2.4854 on June 9 and explicitly warned that threat actors routinely reverse-engineer patches to weaponize them rapidly, a pattern already confirmed with prior Veeam flaws CVE-2024-40711 (exploited by Akira and Fog within weeks) and CVE-2025-23121. Backup servers are the ransomware kill shot — compromise before encryption removes the victim's recovery option entirely; organizations running domain-joined Veeam must treat this as an emergency patch.

Backup servers are the ransomware kill shot — compromise before encryption removes the victim's recovery option entirely; organizations running domain-joined Veeam must treat this as an emergency patch.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
veeam · cve-2026-44963 · rce · backup-infrastructure · ransomware-precursor · active-directory · watchtowr
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

RELATED ACTORS

ACTOR
OPERATION RIPTIDE (FBI / Multi-National Law Enforcement Action)
CRIMINAL
ACTOR
DRAGONFORCE + SCATTERED SPIDER (Alliance Update)
CRIMINAL

MORE FROM ARCHIVE

# CVE
2026-06-13
Check Point Discloses Three-CVE RCE Chain in LangGraph Affecting 46M+ Monthly Downloads; SQL Injection to Unsafe Deserialization Kill Chain
# CVE
2026-06-12
Qilin Affiliate Exploiting Check Point VPN CVE-2026-50751 (CVSS 9.3) IKEv1 Auth Bypass as Zero-Day Since May 7 — CISA KEV, Hotfix Available
# CVE
2026-06-09
CVE-2026-23111: Linux Kernel nf_tables Use-After-Free Enables Unprivileged Root and Container Escape — Full Exploit Public via Exodus Intelligence
# CVE
2026-06-09
CVE-2026-28318: CISA KEV-Listed SolarWinds Serv-U Unauthenticated DoS Actively Exploited — 12,000+ Internet-Exposed Instances, FCEB Deadline June 19