For anyone running the Veeam Service Provider Console, v7 or v8, a vulnerability was detected and a patch released a few weeks ago. Today, the patch was rereleased with additional improvements added. If you’re running unpatched, or if you applied the original patch, it’s recommended to update to the latest release. Note that this vulnerability does not apply to Veeam Backup & Replication, Veeam Agent for Windows or Veeam ONE, and applies only to the Service Provider Console. More information is available at https://www.veeam.com/kb4575.
Issue Details
CVE-2024-29212
Due to an unsafe deserialization method used by the Veeam Service Provider Console (VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
This vulnerability was detected during internal testing.
Severity: Critical
CVSS v3.1 Score: 9.9
(click to reveal the answer)