Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Veeam Urges Updates After Discovering Critical Vulnerability
The vulnerability affects certain versions of the Veeam Service Provider Console that can only be fixed by updating with the latest patch.
Kristina Beek, Associate Editor, Dark Reading
December 4, 2024
1 Min Read
Source: Postmodern Studio via Alamy Stock Photo
NEWS BRIEF
Data protection vendor Veeam released an update to address a critical vulnerability affecting the Veeam Service Provider Console (VSPC) that, if exploited, could lead to remote code execution (RCE).
Tracked as CVE-2024-42448 with a CVSS score of 9.9, the vulnerability was discovered by Veeam during internal testing.
Veeam found another vulnerability in the process, CVE-2024-42449, with a high CVSS score of 7.1, which could leak an NTLM hash of the VSPC server service account and delete files off the machine.
Both of the vulnerabilities affect VSPC 8.1.0.21377 and all earlier versions of 7 and 8 builds.
"These service providers often trust their third-party vendor tools to manage client data and ensure business continuity," Elad Luz, head of research as Oasis Security, wrote in an emailed statement to Dark Reading. "When these vendors, like Veeam, have vulnerabilities that allow remote code execution, it exposes critical backup infrastructure to potential exploitation. In industries where data security is paramount, such as finance, healthcare, and legal services, the risk is amplified as these sectors hold sensitive data that is attractive to cybercriminals."
As there are no mitigations available for these vulnerabilities, Veeam recommends users of the supported versions of VSPC update to the latest cumulative patch.
Read more about:
news briefsAbout the Author
You May Also Like
More Insights
Webinars
_KonstantinNechaev-Alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)
