Veeam has released security updates to address two vulnerabilities in its Service Provider Console (VSPC), including a critical remote code execution (RCE) flaw. The VSPC is a remote-managed Backend as a Service and Disaster Recovery as a Service platform used by service providers to monitor customer backups and manage protected workloads.
The first vulnerability, tracked as CVE-2024-42448, allows attackers to execute arbitrary code on unpatched servers from the management agent machine. The second vulnerability, CVE-2024-42449, can be exploited to steal the NTLM hash of the VSPC server service account and delete files on the server.
However, these vulnerabilities can only be successfully exploited if the management agent is authorized on the targeted server. The flaws impact VSPSC 8.1.0.21377 and all earlier versions, including builds 8 and 7, but unsupported product versions may also be affected.
Veeam advises service providers using supported versions of VSPC to update to the latest cumulative patch. Those using unsupported versions are strongly encouraged to upgrade to the latest version of VSPC. As recent wild exploitation targeting Veeam vulnerabilities highlights, it is crucial to patch vulnerable servers as soon as possible to block potential attacks.
Source: https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-bug-in-service-provider-console