Veeam reports critical flaw in its Service Provider Console tool
Take action: If you are using Veeam Service Provider Console, it's time to apply the patch. By the very nature of the tool, it's accessible to multiple users, so it's difficult to isolate and lock it down. If you are using an unsupported version, strongly consider upgrading or shutting down the program, since hackers will scan for them and attack them.
Learn More
The provider of backup management tools Veeam is reporting a critical vulnerability affecting its Veeam Service Provider Console (VSPC). The vulnerability was discovered during internal testing by Veeam, and there have been no reports of exploitation in the wild as of the announcement.
The flaw, tracked as CVE-2024-29212 (CVSS score 9.8), involves an insecure method of deserializing data which could allow remote attackers to execute arbitrary code under certain conditions.
The vulnerability affects multiple versions of the VSPC: 4.0, 5.0, 6.0, 7.0, and 8.0. Other Veeam products are reported not to be at risk. The flaw is fixed in versions 7.0.0.18899 and 8.0.0.19236. Veeam has already ceased support for versions 4.0, 5.0, and 6.0, so these versions will no longer receive security updates and remain at risk.
Administrators managing the affected versions are urged to install the updates provided by Veeam for versions 7.0 and 8.0, or upgrade to the older versions to a supported version.
