Veeam warns of critical RCE bug in Service Provider Console

​Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing.

VSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads.

The first security flaw fixed today (tracked as CVE-2024-42448 and rated with a 9.9/10 severity score) enables attackers to execute arbitrary code on unpatched servers from the VSPC management agent machine.

Veeam also patched a high-severity vulnerability (CVE-2024-42449) that can let attackers steal the NTLM hash of the VSPC server service account and use the gained access to delete files on the VSPC server.

However, as the company explained in a security advisory published today, these two vulnerabilities can only be exploited successfully if the management agent is authorized on the targeted server.

The flaws impact VPSC 8.1.0.21377 and all earlier versions, including builds 8 and 7, but unsupported product versions are also likely affected and "should be considered vulnerable," even though they weren't tested.

"We encourage service providers using supported versions of Veeam Service Provider Console (versions 7 & 8) to update to the latest cumulative patch," Veeam said.

"Service Providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console."

Recent wild exploitation targeting Veeam vulnerabilities has shown that it's crucial to patch vulnerable servers as soon as possible to block potential attacks.

As Sophos X-Ops incident responders revealed last month, an RCE flaw (CVE-2024-40711) in Veeam's Backup & Replication (VBR) software disclosed in September is now exploited to deploy Frag ransomware.

The same vulnerability is also used to gain remote code execution on vulnerable VBR servers in Akira and Fog ransomware attacks.

Veeam says its products are used by over 550,000 customers worldwide, including 74% of all Global 2,000 companies and 82% of Fortune 500.