Veeam RCE Vulnerability Exposes Data Protection Services to Risk Created

Veeam RCE Vulnerability Exposes Data Protection Services to Risk Created

Veeam, a leading provider of backup and data protection solutions, has released a security advisory concerning a critical remote code execution (RCE) vulnerability in its Service Provider Console (VSPC). Identified as CVE-2024-29212, this vulnerability poses significant risks as it allows attackers to potentially infiltrate VSPC servers and access sensitive backup data.

- The vulnerability was found within the Veeam Service Provider Console (VSPC), which is utilized for overseeing data protection operations across both physical and virtual environments.
- Rated with a high severity score of 8.8 on the CVSS scale, CVE-2024-29212's danger lies primarily in its capacity to enable remote code execution on the servers running VSPC.
- The security issue originates from an unsafe deserialization practice during the communication between the management agent and its components, which, if exploited, could allow an attacker to run malicious code on the VSPC server, potentially leading to data breaches or disruptions in data protection services.

Providers using versions 7 and 8 of the console apply these cumulative patches immediately. Furthermore, those using older, unsupported versions are advised to upgrade to a current supported release to secure the enhanced security features and protect against potential threats.

Affected Systems

-

IoC’s

-

Recommended Solution(s)

Veeam responded promptly upon discovering the vulnerability by rolling out fixes in the latest builds of the Veeam Service Provider Console:
- Veeam Service Provider Console v7.0.0.18899
- Veeam Service Provider Console v8.0.0.19236
Veeam has strongly recommended that all service

Mitigations

Veeam has strongly recommended that all service providers using versions 7 and 8 of the console apply these cumulative patches immediately. Furthermore, those using older, unsupported versions are advised to upgrade to a current supported release to secure the enhanced security features and protect against potential threats.

CVE / CWE

CVE-2024-29212

Related Website(s)

• https://www.veeam.com/kb4575

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.