Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console

Veeam has released security updates to address a critical flaw impacting Service Provider Console (VSPC) that could pave the way for remote code execution on susceptible instances.

The vulnerability, tracked as CVE-2024-42448, carries a CVSS score of 9.9 out of a maximum of 10.0. The company noted that the bug was identified during internal testing.

"From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine," Veeam said in an advisory.

Another defect patched by Veeam relates to a vulnerability (CVE-2024-42449, CVSS score: 7.1) that could be abused to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine.

Both the identified vulnerabilities affect Veeam Service Provider Console 8.1.0.21377 and all earlier versions of 7 and 8 builds. They have been addressed in version 8.1.0.21999.

Veeam further said there are no mitigations to fix the problems, and that the only solution is to upgrade to the latest version of the software.

With flaws in Veeam products being abused by threat actors to deploy ransomware, it's imperative that users take action to secure their instances as soon as possible.