CVE-2026-32998
Received
Published: 28 May 2026, 04:01
Last modified:28 May 2026, 04:01
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.4 CRITICAL
v4.0 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
28 May 2026, 04:01
Published
Vulnerability first disclosed
Description
This vulnerability in Veeam Service Provider Console allows for remote code execution.
CVSS Metrics
- v4.0•CRITICAL•Score: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
- v4.0•CRITICAL•Score: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Techniques & Countermeasures
- CWE-233•Improper Handling of Parameters
The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
Affected Systems
- veeam•service provider console
≥ 9, ≤ 9.2