Veeam addressed critical Service Provider Console (VSPC) bug

Veeam addressed a critical vulnerability in Service Provider Console (VSPC) that could allow remote attackers to execute arbitrary code.

Veeam released security updates for a critical vulnerability, tracked as CVE-2024-42448 (CVSS score of 9.9) impacting Service Provider Console. Successful exploitation of the flaw can potentially lead to remote code execution on vulnerable installs.

Veeam Service Provider Console (VSPC) is a management and monitoring solution designed for service providers offering backup, disaster recovery, and cloud services. It enables centralized management of Veeam-powered solutions across multiple tenants, providing tools for billing, reporting, and automated deployment.

The vulnerability affects Veeam Service Provider Console 8.1.0.21377 and all earlier versions 8 and 7 builds.

“From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.” reads the advisory.

The company confirmed that its experts discovered the vulnerability during internal testing.

Veeam also addressed a vulnerability, tracked as CVE-2024-42449 (CVSS score 7.1) that could be exploited to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine.

“From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine.” reads the advisory.

Both vulnerabilities have been addressed in version 8.1.0.21999.

Organizations are recommended to upgrade to the latest version of the software.

In the past, threat actors exploited Veeam flaws for ransomware attacks. In November, researchers reported that a critical flaw, tracked as CVE-2024-40711, in Veeam Backup & Replication (VBR) was exploited to deploy Frag ransomware.

After the Akira and Fog ransomware attacks, experts warned of threat actors attempting to deploy Frag ransomware actively exploiting CVE-2024-40711.

In mid-October, Sophos researchers warned that ransomware operators are exploiting the vulnerability CVE-2024-40711 to create rogue accounts and deploy malware.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Service Provider Console)