Full Report
Veeam has released security updates to address a critical flaw impacting Service Provider Console (VSPC) that could pave the way for remote code execution on susceptible instances. The vulnerability, tracked as CVE-2024-42448, carries a CVSS score of 9.9 out of a maximum of 10.0. The company noted that the bug was identified during internal testing. "From the VSPC management agent machine, under
Analysis Summary
# Vulnerability: Critical RCE in Veeam Service Provider Console
## CVE Details
- CVE ID: CVE-2024-42448
- CVSS Score: 9.9 (Critical)
- CWE: Not specified, but context suggests potential for Injection or Improper Access Control leading to RCE.
## Affected Systems
- Products: Veeam Service Provider Console (VSPC)
- Versions: 8.1.0.21377 and all earlier versions of 7 and 8 builds.
- Configurations: Exploitation requires the VSPC management agent to be authorized on the server, originating from the VSPC management agent machine.
## Vulnerability Description
CVE-2024-42448 is a critical vulnerability residing in the Veeam Service Provider Console (VSPC). If an attacker gains access from the VSPC management agent machine and the agent is authorized on the VSPC server, it is possible to achieve Remote Code Execution (RCE) on the VSPC server machine.
*Note: A secondary vulnerability, CVE-2024-42449 (CVSS 7.1), allows for NTLM hash leaking of the VSPC server service account and file deletion on the VSPC server, also affecting the same versions.*
## Exploitation
- Status: Identified during internal testing; exploitation status in the wild is not explicitly mentioned but RCE is critical.
- Complexity: Implied complex setup requiring an authorized management agent context.
- Attack Vector: Assumed to be **Local/Internal Network** since it originates "From the VSPC management agent machine."
## Impact
- Confidentiality: High (Due to RCE achieving arbitrary code execution)
- Integrity: High (Due to RCE achieving arbitrary code execution)
- Availability: High (Due to RCE achieving arbitrary code execution)
## Remediation
### Patches
- Veeam Service Provider Console version **8.1.0.21999** or newer.
### Workarounds
- Veeam advisory states there are **no mitigations**; upgrading is the only solution.
## Detection
- Detection methods are not specified in the source article. Given the RCE nature, indicators would involve unusual process execution or file modifications originating from the VSPC service account or management agent context.
## References
- Vendor Advisory: https://www.veeam.com/kb4679
- News Article: https://thehackernews.com/2024/12/veeam-issues-patch-for-critical-rce.html