Veeam Software has released security updates to address two critical vulnerabilities in its Service Provider Console (VSPC – centralized backup management platform) that could allow remote attackers to execute arbitrary code on vulnerable systems.
The first vulnerability tracked as CVE-2024-42448 with a CVSS score of 9.9 is remote code execution vulnerability allows attackers to compromise VSPC servers by exploiting authorized management agents. Successful exploitation could grant attackers complete control over the server, potentially jeopardizing sensitive customer data and disrupting backup and recovery operations.
The second vulnerability tracked as CVE-2024-42449 with a CVSS score of 7.1 leverages authorized management agents to extract NTLM hashes of VSPC server service accounts and delete files on the server. This could be used to escalate privileges and further compromise the system.
These vulnerabilities affect Veeam VSPC versions 8.1.0.21377 and all earlier versions, including builds 8 and 7. Veeam has addressed these vulnerabilities in Service Provider Console version 8.1.0.21999.
Veeam urges all service providers using supported versions of VSPC to update to this latest cumulative patch immediately.
