Skip to main content

Veeam Service Provider Console CVE-2026-32998

| EUVDEUVD-2026-32714 CRITICAL
Improper Handling of Parameters (CWE-233)
2026-05-28 hackerone GHSA-fj2r-48wp-hcm4
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 28, 2026 - 07:00 vuln.today
CVSS changed
May 28, 2026 - 05:22 NVD
9.4 (CRITICAL)
CVE Published
May 28, 2026 - 04:01 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 04:01 nvd
CRITICAL 9.4

DescriptionCVE.org

This vulnerability in Veeam Service Provider Console allows for remote code execution.

AnalysisAI

Remote code execution in Veeam Service Provider Console versions 9.0 through 9.2 allows authenticated remote attackers to execute arbitrary code on the server, per the CVSS 4.0 vector requiring low privileges (PR:L) over the network. With a CVSS score of 9.4 and a scope change indicating impact beyond the vulnerable component (SC:H/SI:H/SA:H), successful exploitation could compromise managed downstream customer environments. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Technical ContextAI

Veeam Service Provider Console (VSPC) is a multi-tenant management platform used by managed service providers to centrally administer Veeam backup deployments across customer tenants. The CPE string cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:* confirms the application-level scope. The assigned weakness CWE-233 (Improper Handling of Parameters) suggests the flaw stems from how the console processes input parameters - likely allowing attacker-controlled values to influence backend operations in a way that culminates in arbitrary code execution on the host. Given VSPC's architecture as a centralized orchestration plane, parameter-handling flaws on management endpoints are especially impactful because the console holds elevated trust relationships with managed agents.

RemediationAI

Apply the fixed version published in Veeam KB4853 (https://www.veeam.com/kb4853) - the input data confirms a vendor advisory exists, but an exact patched build number was not provided in the supplied intelligence, so retrieve the precise upgrade target directly from that KB. Until the patch can be deployed, restrict network access to the VSPC web console and API endpoints to trusted management networks only (firewall/ACL allowlisting), and audit and minimize the number of low-privilege console accounts to reduce the population of users who can satisfy the PR:L precondition; note that tightening access on a multi-tenant MSP console will affect legitimate tenant administrators and should be coordinated. Rotate credentials and review console audit logs for anomalous parameter values or unexpected administrative actions during the exposure window.

Share

CVE-2026-32998 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy