Veeam plugs serious holes in Service Provider Console (CVE-2024-42448, CVE-2024-42449)
Veeam has fixed two vulnerabilities in Veeam Service Provider Console (VSPC), one of which (CVE-2024-42448) may allow remote attackers to achieve code exection on the VSPC server machine.
The vulnerabilities
Veeam Service Provider Console is a cloud-enabled platform that allows enterprises to manage and monitor backup operations across their offices. It’s also used by service providers to deliver Backup-as-a-Service (BaaS) and Disaster Recovery-as-a-Service (DRaaS) services to customers.
The solution uses management agents to interact with machines in managed infrastructures that run Veeam backup, disaster recovery and IT monitoring/reporting products.
CVE-2024-42448 allows remote code execution from the VSPC management agent machine on the VSPC server machine – if the management agent is authorized on the server.
CVE-2024-42449 allows attackers to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine – if they have a presence on the VSPC management agent machine and if the management agent is authorized on the server.
Additional information about the vulnerabilities is still under wraps.
Upgrade quickly!
Both CVE-2024-42448 and CVE-2024-42449 have been discovered during internal testing and Veeam does not mention in-the-wild exploitation.
They affect Veeam Service Provider Console 8.1.0.21377 and all earlier versions 8 and 7 builds, and have been fixed in Veeam Service Provider Console v8.1.0.21999.
“We encourage service providers using supported versions of Veeam Service Provider Console (versions 7 & 8) to update to the latest cumulative patch. Service Providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console,” the company advised.
Upgrading is the only way to plug these holes, as there is no mitigation available.
Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability
US shares tips to block hackers behind recent telecom breaches
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalCookie Poisoning
Free online web security scanner