Following the discovery of a critical vulnerability, Veeam requests updates.

To fix a serious flaw in the Veeam Service Provider Console (VSPC) that might result in remote code execution (RCE) if abused, data security firm Veeam published an upgrade. During internal testing, Veeam found the vulnerability, which is tracked as CVE-2024-42448 and has a CVSS score of 9.9. 

Following the discovery of a critical vulnerability, Veeam requests updates.

To fix a serious flaw in the Veeam Service Provider Console (VSPC) that might result in remote code execution (RCE) if abused, data security firm Veeam published an upgrade. During internal testing, Veeam found the vulnerability, which is tracked as CVE-2024-42448 and has a CVSS score of 9.9. 

With a high CVSS score of 7.1, Veeam discovered another vulnerability in the process, CVE-2024-42449, which may erase files from the computer and leak an NTLM hash of the VSPC server service account. VSPC 8.1.0.21377 and all previous builds of 7 and 8 are vulnerable to both flaws. In an email to Dark Reading, Oasis Security's head of research, Elad Luz, stated, "These service providers often trust their third-party vendor tools to manage client data and ensure business continuity." "Critical backup infrastructure is vulnerable to possible exploitation when these providers, such as Veeam, have flaws that permit remote code execution. Because these sectors house sensitive data that is appealing to cybercriminals, the danger is increased in sectors like finance, healthcare, and legal services where data security is crucial.


Users of the supported versions of VSPC are advised by Veeam to update to the most recent cumulative patch because there are currently no mitigations for these vulnerabilities.