The vulnerability affects certain versions of the Veeam Service Provider Console that can only be fixed by updating with the latest patch.
Data protection vendor Veeam released an update to address a critical vulnerability affecting the Veeam Service Provider Console (VSPC) that, if exploited, could lead to remote code execution (RCE).
Tracked as CVE-2024-42448 with a CVSS score of 9.9, the vulnerability was discovered by Veeam during internal testing.
Veeam found another vulnerability in the process, CVE-2024-42449, with a high CVSS score of 7.1, which could leak an NTLM hash of the VSPC server service account and delete files off the machine.
Both of the vulnerabilities affect VSPC 8.1.0.21377 and all earlier versions of 7 and 8 builds.
“These service providers often trust their third-party vendor tools to manage client data and ensure business continuity,” Elad Luz, head of research as Oasis Security, wrote in an emailed statement to Dark Reading. “When these vendors, like Veeam, have vulnerabilities that allow remote code execution, it exposes critical backup infrastructure to potential exploitation. In industries where data security is paramount, such as finance, healthcare, and legal services, the risk is amplified as these sectors hold sensitive data that is attractive to cybercriminals.”
As there are no mitigations available for these vulnerabilities, Veeam recommends users of the supported versions of VSPC update to the latest cumulative patch.
