Critical Vulnerabilities Found in Veeam Service Provider Console

Two critical vulnerabilities (CVE-2024-42448 and CVE-2024-42449) have been identified in Veeam Service Provider Console (VSPC), prompting an urgent call for users to update their systems.

According to Veeam’s latest security advisory, the vulnerabilities affect all builds of VSPC versions 7 and 8. The first flaw (CVE-2024-42448) allows for remote code execution (RCE) on the server when exploited by an authorized management agent, carrying a CVSS score of 9.9. The second issue (CVE-2024-42449) exposes the system to NTLM hash leaks and file deletions, with a CVSS score of 7.1.

Veeam has confirmed that these vulnerabilities were discovered during internal testing and stressed that there are no available mitigations other than upgrading to version 8.1.0.21999 or later.

Service providers using VSPC are strongly advised to apply the patch immediately. Unsupported versions should be upgraded to the latest release to ensure continued security.

Attractive Targets

The recent Veeam vulnerabilities underscore the ongoing challenges managed service providers (MSPs) face in vulnerability and patch management, comments Elad Luz, Head of Research at Oasis Security.  MSPs often depend heavily on third-party tools to manage client data and maintain business continuity. When these tools, like Veeam, are compromised—especially through vulnerabilities enabling remote code execution (RCE)—critical backup systems become attractive targets for cybercriminals.

Luz says this risk is particularly severe in sectors such as finance, healthcare, and legal services, where safeguarding sensitive data is paramount.

Proactively investing in secure backup and recovery solutions is key to preventing ransomware attacks and data breaches. A compromised backup system can hinder an organization’s ability to recover, leaving both live and backup systems vulnerable to exploitation. To mitigate these risks, organizations must prioritize timely patching, adopt a multi-layered security strategy, and implement effective incident response plans, thereby reducing their exposure to cyber threats, explains Luz.

Severe Operational, Security Risks

Jason Soroko, Senior Fellow at Sectigo, adds that the impact of these vulnerabilities is substantial. CVE-2024-42448, with a critical CVSS score of 9.9 out of 10, allows for remote code execution (RCE) on the VSPC server machine from an authorized management agent machine. “This means that an attacker who gains control of a management agent could execute arbitrary code on the server, potentially leading to full system compromise, data theft, or service disruption.   Teams should immediately prioritize applying the security updates provided by Veeam.  Delaying this action exposes your infrastructure to potential attacks that could have significant operational and security implications.”

“CVE-2024-42449 allows attackers to extract NTLM hashes and delete files, potentially escalating privileges within the system,” adds Mayuresh Dani, Manager of Security Research at Qualys. “These methods are commonly exploited by initial access brokers. Organizations should update to VSPC version 8.1.0.21999 to protect their systems and ensure business continuity.”

This incident also highlights the importance of securing APIs, which are integral to managing backup and recovery solutions, explains Eric Schwake, Director of Cybersecurity Strategy at Salt Security. “A robust API security strategy, including strong authentication, authorization, and continuous monitoring, is vital to safeguarding against unauthorized access and potential cyberattacks.”