- May 9, 2024
- Beazley Security Labs
Critical Vulnerability In Veeam Service Provider Console (VSPC) (CVE-2024-29212)
On May 7th, Veeam Software reported a critical vulnerability they found during internal testing of their Veeam Service Provider Console (VSPC) product. The vulnerability allows a remote attacker with low level access credentials the ability to carry out arbitrary remote code execution (RCE) on a victim machine.
Executive Summary
On May 7th, Veeam Software reported a critical vulnerability they found during internal testing of their Veeam Service Provider Console (VSPC) product. The vulnerability allows a remote attacker with low level access credentials the ability to carry out arbitrary remote code execution (RCE) on a victim machine. This vulnerability is being tracked as CVE-2024-29212.
Veeam discovered and patched the vulnerability themselves as part of internal testing, and there were no known uses of the vulnerability at the time of disclosure. However, the targeted software system is available to download free on their website, and we expect financially motivated threat actors to reverse engineer the vulnerability in order to develop and deploy weaponized exploits in the next few days. It should be noted that around this time last year, a similarly self-reported Veeam vulnerability (CVE-2023-27532) was used by ransomware gangs in widespread attacks in the weeks after disclosure.
Given these factors, Lodestone believes immediate application of Veeam’s released software patches is crucial.
Affected Systems or Products
The vulnerability affects the following versions of Veeam Service Provider Console (VSPC):
Veeam Service Provider Console prior to 7.0.0.18899
Veeam Service Provider Console prior to 8.0.0.19236
Mitigations / Workarounds
There are no mitigations or workarounds that address this vulnerability. The only provided fix is the vendor supplied software update.
Patches
Veeam provided software patches at the time of disclosure. Users with supported versions of Veeam Service Provider Console can update to the latest cumulative patch. Users with unsupported versions of Veeam Service Provider Console are strongly encouraged to the latest version of Veeam Service Provider Console.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices discovered by our Attack Surface Management Solution, Karma, to identify potentially impacted devices and support organizations in remediation of any issues found.