Veeam has released security updates to address a critical flaw affecting the Service Provider Console (VSPC) that could open the way for remote code execution on sensitive instances.
The vulnerability, tracked as CVE-2024-42448, has a CVSS score of 9.9 out of a maximum of 10.0. The company noted that the bug was discovered during internal testing.
“From the VSPC Management Agent machine, provided the Management Agent is authorized on the server, remote code execution (RCE) can be performed on the VSPC server machine”, Veeam said in the advisory.
Another flaw fixed by Veeam is related to a vulnerability (CVE-2024-42449, CVSS score: 7.1) that can be exploited to leak the NTLM hash of the VSPC server service account and delete files on the VSPC server machine.
Both discovered vulnerabilities affect Veeam Service Provider Console 8.1.0.21377 and all earlier versions of builds 7 and 8. They were addressed in version 8.1.0.21999.
Veeam also stated that there is no fix available and that the only solution is to update to the latest version of the software.
Vulnerabilities in Veeam products are being abused by threat actors deploy ransomwareit is very important that users take steps to protect their instances as soon as possible.
