Veeam warns of critical RCE bug in Service Provider Console Veeam released security ...

npub1zm7…pnd6

2024-12-04 07:01:04

Veeam warns of critical RCE bug in Service Provider Console

Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing.

VSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads.

The first security flaw fixed today (tracked as CVE-2024-42448 and rated with a 9.9/10 severity score) enables attackers to execute arbitrary code on unpatched servers from the VSPC management agent machine.

Veeam also patched a high-severity vulnerability (CVE-2024-42449) that can let attackers steal the NTLM hash of the VSPC server service account and use the gained access to delete files on the VSPC server.

See more:
BleepingComputer: https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-bug-in-service-provider-console/

The Hackers News: https://thehackernews.com/2024/12/veeam-issues-patch-for-critical-rce.html

#cybersecurity #rce #veeam

Author Public Key

npub1zm7jduqq2nmxz5wxh4ujtm00g9vxzqa0r82yt7flvm67yje5gfaqa5pnd6

Seen on

wss://relay.primal.net

Show more details

Published at

2024-12-04 07:01:04

Kind type

1 Short Text Note

Event JSON

{ "id": "1478f36d05ca7eed4fb122c531d77f8a34277e96fa6c1b5759ca90218127e2d7", "pubkey": "16fd26f00054f66151c6bd7925edef41586103af19d445f93f66f5e24b34427a", "created_at": 1733295664, "kind": 1, "tags": [ [ "t", "cybersecurity" ], [ "t", "rce" ], [ "t", "veeam" ], [ "r", "https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-bug-in-service-provider-console/" ], [ "r", "https://thehackernews.com/2024/12/veeam-issues-patch-for-critical-rce.html" ] ], "content": "Veeam warns of critical RCE bug in Service Provider Console\n\nVeeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing.\n\nVSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads.\n\nThe first security flaw fixed today (tracked as CVE-2024-42448 and rated with a 9.9/10 severity score) enables attackers to execute arbitrary code on unpatched servers from the VSPC management agent machine.\n\nVeeam also patched a high-severity vulnerability (CVE-2024-42449) that can let attackers steal the NTLM hash of the VSPC server service account and use the gained access to delete files on the VSPC server.\n\nSee more:\nBleepingComputer: https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-bug-in-service-provider-console/\n\nThe Hackers News: https://thehackernews.com/2024/12/veeam-issues-patch-for-critical-rce.html\n\n#cybersecurity #rce #veeam", "sig": "cd243e142463cd68ca52bf3501d07803b21c3f5f42ce6879d0486a26e9b0bf3381a180107b681d5e4298d76eb52ebd09713ef5145f789c4ab3ac6d0938923a7c" }