Veeam Urges Immediate Update to Patch Severe Vulnerabilities

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Two severe vulnerabilities in Veeam Service Provider Console (VSPC) software have been patched, including one with a near-maximum CVSS score of 9.9. The issues, designated as CVE-2024-42448 and CVE-2024-42449, were identified during internal testing by Veeam.

Both flaws pose significant risks to system integrity, requiring immediate attention from affected service providers.

Details of the Vulnerabilities

Rated as critical with a CVSS v3.1 score of 9.9, CVE-2024-42448 is a remote code execution vulnerability on the VSPC server machine via an authorized management agent. 

“A critical vulnerability in the VSPC presents a significant risk to organizations using this software,” commented Eric Schwake, director of cybersecurity strategy at Salt Security. “With a CVSS score of 9.9, this vulnerability allows for remote code execution on affected instances, potentially enabling attackers to gain complete control of the system and compromise sensitive data.”

Meanwhile, CVE-2024-42449 enables leaking of an NTML hash of the VSPC server service account and deletion of files on the server machine. This vulnerability is rated as high severity, with a CVSS v3.1 score of 7.1.

These vulnerabilities impact all VSPC versions 8.1.0.21377 and earlier versions of builds 7 and 8. Unsupported product versions are likely vulnerable and should be updated.

Recommended Actions

Veeam has released a patch for these issues in build 8.1.0.21999. Users of supported versions are urged to apply this update immediately. Those running unsupported versions are strongly encouraged to upgrade to the latest VSPC release.

No mitigation methods are available, making the update the only viable solution to address these security flaws.

Read more on cybersecurity best practices: CISO Best Practices for Managing Cyber Risk

“To mitigate these risks, service providers and vendors must prioritize timely patching and vulnerability management to reduce the attack surface, while companies should implement a multi-layered security approach, combining secure backups, regular patching cycles and effective incident response plans,” said Elad Luz, head of research at Oasis Security.

“Without such measures, businesses leave themselves vulnerable to significant cybersecurity threats, underlining the need for robust vendor security management and continuous security monitoring within both their internal systems and the services they rely on.”

Image credit: T. Schneider / Shutterstock.com

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

⚡ THN Recap: Top Cybersecurity Threats, Tools and Tips (Dec 2 – 8)
Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged
Federal Appeals Court Upholds Law Threatening US TikTok Ban
Learn How Experts Secure Privileged Accounts—Proven PAS Strategies Webinar
FCC Proposes Stricter Cybersecurity Rules for US Telecoms

Leave a Reply

Your email address will not be published. Required fields are marked *