Description
This vulnerability in Veeam Service Provider Console allows for remote code execution.
Published: 2026-05-28
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Veeam Service Provider Console is vulnerable to a command injection flaw that permits remote execution of arbitrary system commands. This flaw, classified as CWE‑233, effectively removes the integrity and confidentiality of the affected system, allowing a malicious actor to take full control.

Affected Systems

The vulnerability affects Veeam Service Provider Console. No specific version constraints are listed, so all currently deployed installations may be affected until a vendor patch is released.

Risk and Exploitability

The CVSS score of 9.4 denotes critical severity. No EPSS score is currently available and the vulnerability is not listed in CISA’s KEV catalog, but the lack of data does not reduce the risk of exploitation. An attacker is likely to take advantage of the command injection remotely over the network, possibly using default or weak credentials or simply through an open management port.

Generated by OpenCVE AI on May 28, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch for Veeam Service Provider Console immediately, following the instructions in the linked KB article.
  • Limit management access to the console by restricting it to trusted internal networks and disabling unused ports to shrink the attack surface.
  • Monitor system and network logs for unauthorized command execution attempts and quarantine any compromised instances promptly.

Generated by OpenCVE AI on May 28, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.veeam.com/kb4853 cve-icon cve-icon
History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution in Veeam Service Provider Console via Command Injection
First Time appeared Veeam
Veeam service Provider Console
Vendors & Products Veeam
Veeam service Provider Console

Thu, 28 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description This vulnerability in Veeam Service Provider Console allows for remote code execution.
Weaknesses CWE-233
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Veeam Service Provider Console
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-29T15:16:35.218Z

Reserved: 2026-03-17T15:00:07.747Z

Link: CVE-2026-32998

cve-icon Vulnrichment

Updated: 2026-05-28T13:08:53.002Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T05:16:35.970

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-32998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:30:06Z

Weaknesses