🔴 Veeam just patched a critical flaw that lets any domain user take over your backup server… that caught the attention of ransomware gangs

If you run Veeam Backup & Replication 12.x in a domain-joined environment, patch this today.

Veeam disclosed CVE-2026-44963 yesterday. It’s a CVSS 9.4 critical vulnerability allowing any authenticated domain user to execute arbitrary code remotely on the backup server. The bar for exploitation is remarkably low: standard Active Directory credentials, no admin rights required, and no special access needed. Any domain user can trigger it. BleepingComputer

No active exploitation has been confirmed yet. But Veeam explicitly warns that attackers typically begin developing exploits as soon as patches are disclosed.

CISA has previously flagged four separate Veeam Backup & Replication vulnerabilities as actively exploited, with ransomware groups including Akira, Fog, Frag, and FIN7 all linked to Veeam attacks.

The patch is available now. Update to Veeam Backup & Replication version 12.3.2.4854. Note: this vulnerability only affects domain-joined installations. If your Veeam servers are in a workgroup configuration rather than joined to Active Directory, you are not affected by this specific flaw… but sensible to update anyway, as Veeam patched additional high-severity flaws in the same release.

🟡 Yesterday was the biggest Patch Tuesday in Microsoft history: 200 flaws, three zero-days, and the end of the Nightmare Eclipse saga (for now)

June 2026 Patch Tuesday addressed a HUGE 200 vulnerabilities, smashing the previous record of 167 set in October last year.

33 are rated Critical, 28 of which are remote code execution flaws. The full breakdown is live and updating. BleepingComputer

The three zero-days are the ones some MSPs have been following:

• GreenPlasma, the Windows CTFMON privilege escalation exploit we first covered in May, is patched as CVE-2026-45586

• YellowKey, the BitLocker bypass that lets anyone with physical access read encrypted drives, is addressed in CVE-2026-50507.

• And RedSun, the Defender exploit, was quietly patched without a CVE or public advisory

All three stem from Nightmare Eclipse, the anonymous disgruntled researcher who has been dropping unpatched Windows exploits since April. Krebs on Security

Also in today’s release: the permanent fix for Exchange Server CVE-2026-42897, the actively exploited cross-site scripting flaw. And the Secure Boot certificate update, the last comfortable window before the June 26 deadline. Windows Server needs manual deployment via Group Policy or WSUS.

Side note: Nightmare Eclipse dropped a fresh exploit within hours of today’s patches publishing and has promised a “bone shattering” release on July 14, exactly when next month’s Patch Tuesday lands.

🟢 For the first time ever, Microsoft credited an AI for finding a vulnerability in Patch Tuesday

Buried inside yesterday’s record-breaking release is an AI footnote.

CVE-2026-49160, a denial-of-service flaw affecting Microsoft IIS web servers, was discovered and reported not by a human security researcher, but by OpenAI’s Codex AI.

Microsoft explicitly credited it in the advisory. It’s the first time a major vendor has publicly acknowledged an AI system as the discoverer of a real-world vulnerability in a Patch Tuesday release. Krebs on Security

Right, that's your update for Hump Day. We said it was a big one, didn't we? We'll be back in your inbox tomorrow morning. Have a good one.