Veeam Service Provider Console Vulnerability
( CVE-2024-29212 )
Article Applicability
This article documents a vulnerability discovered in Veeam Service Provider Console.
This vulnerability does not affect other Veeam products (e.g., Veeam Backup & Replication, Veeam Agent for Microsoft Windows, Veeam ONE).
Issue Details
CVE-2024-29212
Due to an unsafe deserialization method used by the Veeam Service Provider Console (VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
This vulnerability was detected during internal testing.
Severity: Critical
CVSS v3.1 Score: 9.9CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Solution
The vulnerability documented in this article was fixed starting in the following builds of Veeam Service Provider Console:
Critical Update
We encourage service providers using supported versions of Veeam Service Provider Console (versions 7 & 8) to update to the latest cumulative patch. Service Providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console.
More Information
Veeam has issued an enhanced update to address this critical vulnerability in VCSP. Although our initial patchVeeam Service Provider Console 7.0.0.18899 Veeam Service Provider Console 8.0.0.19236 effectively addressed the primary concern, a subsequent review identified an area for further improvement. To ensure comprehensive protection, we swiftly developed and released a refined patch that fully mitigates the issue. We're confident this updated version reinforces the security of VCSP and demonstrates our commitment to continually strengthening our response measures.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.