Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
This vulnerability in Veeam Service Provider Console allows for remote code execution.
AnalysisAI
Remote code execution in Veeam Service Provider Console versions 9.0 through 9.2 allows authenticated remote attackers to execute arbitrary code on the server, per the CVSS 4.0 vector requiring low privileges (PR:L) over the network. With a CVSS score of 9.4 and a scope change indicating impact beyond the vulnerable component (SC:H/SI:H/SA:H), successful exploitation could compromise managed downstream customer environments. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Technical ContextAI
Veeam Service Provider Console (VSPC) is a multi-tenant management platform used by managed service providers to centrally administer Veeam backup deployments across customer tenants. The CPE string cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:* confirms the application-level scope. The assigned weakness CWE-233 (Improper Handling of Parameters) suggests the flaw stems from how the console processes input parameters - likely allowing attacker-controlled values to influence backend operations in a way that culminates in arbitrary code execution on the host. Given VSPC's architecture as a centralized orchestration plane, parameter-handling flaws on management endpoints are especially impactful because the console holds elevated trust relationships with managed agents.
RemediationAI
Apply the fixed version published in Veeam KB4853 (https://www.veeam.com/kb4853) - the input data confirms a vendor advisory exists, but an exact patched build number was not provided in the supplied intelligence, so retrieve the precise upgrade target directly from that KB. Until the patch can be deployed, restrict network access to the VSPC web console and API endpoints to trusted management networks only (firewall/ACL allowlisting), and audit and minimize the number of low-privilege console accounts to reduce the population of users who can satisfy the PR:L precondition; note that tightening access on a multi-tenant MSP console will affect legitimate tenant administrators and should be coordinated. Rotate credentials and review console audit logs for anomalous parameter values or unexpected administrative actions during the exposure window.
Same weakness CWE-233 – Improper Handling of Parameters
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32714
GHSA-fj2r-48wp-hcm4