Security News > 2024 > May > Veeam fixes RCE flaw in backup management platform (CVE-2024-29212)
Veeam has patched a high-severity vulnerability in Veeam Service Provider Console and is urging customers to implement the patch.
Veeam Service Provider Console is a cloud platform used by managed services providers and enterprises to manage and monitor data backup operations.
"Service providers can deploy Veeam Service Provider Console to deliver Veeam-powered Backup-as-a-Service and Disaster Recovery-as-a-Service services to their customers. Enterprises can use the solution to streamline backup operations in remote and branch offices, or other locations," the company explains.
CVE-2024-29212 exists due to an unsafe deserialization method used by the Veeam Service Provider Console server during communication between the management agent and its components.
In 2013, cybercriminals exploited CVE-2023-27532, a vulnerability in Veeam Backup & Replication.
"We encourage service providers using supported versions of Veeam Service Provider Console to update to the latest cumulative patch. Service providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console," the company advised.
News URL
https://www.helpnetsecurity.com/2024/05/08/cve-2024-29212/
Related news
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Veeam plugs serious holes in Service Provider Console (CVE-2024-42448, CVE-2024-42449) (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-05-14 | CVE-2024-29212 | Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine. | 0.0 |
2023-03-10 | CVE-2023-27532 | Missing Authentication for Critical Function vulnerability in Veeam Backup & Replication 11.0.1.1261/12.0.0.1420 Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. | 7.5 |