Veeam reports critical flaw in Service Provider Console
Take action: If you are running Veeam Service Provider Console platform, time for a quick patch. The exploit scenario for the flaws has some preconditions (management agent server access or credentials), but the stated severity by Veeam indicates that there is a very big probability of the agent being compromised. So don't be lazy, apply the patch. If you are running unsupported - and probably vulnerable - versions for a backup/DR software, are you really protected?
Learn More
Veeam Software is reporting two vulnerabilities affecting its Service Provider Console (VSPC), with patches released on December 3, 2024. The VSPC platform, which serves as a managed backup-as-a-service (BaaS) and disaster-recovery-as-a-service (DRaaS) solution for monitoring customer backups and managing Veeam-protected workloads, is used by service providers worldwide.
- CVE-2024-42448 (CVSS score 9.9) - Remote Code Execution (RCE). Allows arbitrary code execution on VSPC server from management agent machine.
- CVE-2024-42449 (CVSS score 7.1) - Information Disclosure and File Deletion. Enables theft of NTLM hash of VSPC server service account and file deletion capabilities.
In order for the exploits to be successful the attacker must be already present on the management agent machine or have the management agent authorization/credentials on the server.
Affected Versions:
- VSPC 8.1.0.21377 and all earlier versions
- All version 8 and 7 builds
- Unsupported versions are likely vulnerable but untested
Veeam has released version 8.1.0.21999 which addresses both vulnerabilities. The company emphasizes that no alternative mitigations are available. Veeam emphasizes that these vulnerabilities do not affect other products such as Veeam Backup & Replication, Veeam Agent for Microsoft Windows, or Veeam ONE.
