Veeam on Dec. 3 released patches for two vulnerabilities in the Veeam Service Provider Console (VSPC), one of them a critical 9.9 bug that if exploited could let hackers perform remote code execution (RCE) on the VSPC server machine.
In its advisory, Veeam said there’s no mitigation for the vulnerabilities — the only remedy is for security teams to upgrade to the latest version of the VSPC.
The company said both the identified vulnerabilities affect VSPC Console 8.1.0.21377 and all earlier version of 7 and 8 builds. The bugs have been addressed in Version 8.1.0.21999.
Security pros said the critical bug — CVE-2024-42448 — was far more serious because it could lead to an RCE. And the other 7.1 high-severity bug — CVE-2024-42449 — could let attackers leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine.
Mayuresh Dani, manager of security research at the Qualys Threat Research Unit, said both CVE-2024-42448 and CVE-2024-42447 are high-priority vulnerabilities. However, Dani said CVE-2024-42448 has the highest impact of the two, as it allows an RCE on the VSPC server.
“VSPC lets service providers monitor customer backups, manage recovery operations, and centralize backup management,” explained Dani. “Successful exploitation on one such server would come with a lot of damage and cause a loss of customer data as it will significantly affect system integrity, availability, and confidentiality, risking customer data and backup related processes.”
Dani added that CVE-2024-42449 is no less important as it lets attackers extract NTLM hashes of the VSPC server service account and delete arbitrary files on the server. Dani said attackers can use these hashes to escalate privileges within the system — a tactic that’s been a known modus operandi of multiple initial access brokers.
“Ripple effects could be seen as many organizations depend on such service providers to augment their disaster recovery,” said Dani.
Eric Schwake, director of cybersecurity strategy at Salt Security, pointed out that a critical vulnerability in the VSPC presents a significant risk to organizations using this software. With a CVSS score of 9.9, Schwake said this vulnerability allows for an RCE on affected instances, potentially letting attackers gain complete control of the system and compromise sensitive data.
“Security teams should prioritize patching their VSPC deployments immediately to mitigate this risk,” said Schwake. “Additionally, this incident highlights the importance of securing APIs, which are often used to manage and interact with backup and recovery solutions like VSPC. Organizations should ensure their API security strategy includes robust authentication, authorization, and continuous monitoring to prevent unauthorized access and protect against potential attacks.”
Meny Har, co-founder and CEO of Opus Security, said while a CVSS score of 9.9 is severe, it’s not uncommon — many organizations face tens of thousands or more vulnerabilities with this score. Har said relying solely on CVSS scores for prioritization can be overwhelming, as teams often lack the time and resources to address every high-severity issue.
Effective prioritization requires additional context, said Har. Teams need to pose the following questions: Is the asset exposed? Is the vulnerability being actively exploited? Would its exploitation have real business impact?
“There are many scenarios where high CVSS vulnerabilities turn out to be low-priority in practice — for example, an RCE vulnerability on an inaccessible test environment,” said Har. “That’s why organizations are adopting smarter, multi-layered prioritization frameworks to focus on the vulnerabilities that truly matter and make staying on top of vulnerabilities that matter a reality.”
