December 4, 2024 at 03:54PM
Veeam has released an update to fix a critical vulnerability (CVE-2024-42448, CVSS 9.9) in its Service Provider Console (VSPC), which could enable remote code execution. A secondary vulnerability (CVE-2024-42449, CVSS 7.1) could leak sensitive data. Users are urged to update to the latest patch, as no mitigations exist.
**Meeting Takeaways: Veeam Vulnerability Update**
1. **Critical Vulnerabilities Identified**:
– **CVE-2024-42448**: A critical vulnerability with a CVSS score of 9.9 was found in the Veeam Service Provider Console (VSPC), allowing for potential remote code execution (RCE).
– **CVE-2024-42449**: A second vulnerability, assessed at a CVSS score of 7.1, may lead to NTLM hash leakage of the server service account and deletion of files.
2. **Affected Versions**:
– Both vulnerabilities impact VSPC version 8.1.0.21377 and all earlier versions of 7 and 8 builds.
3. **Industry Implications**:
– Elad Luz, head of research at Oasis Security, emphasized that these vulnerabilities could expose critical backup infrastructure, particularly in sectors like finance, healthcare, and legal services, where data security is crucial.
4. **Recommended Action**:
– Veeam advises users of the affected VSPC versions to update to the latest cumulative patch, as there are currently no mitigations available for these vulnerabilities.
5. **Conclusion**:
– Vigilance is recommended for organizations using Veeam’s tools to manage client data, ensuring timely updates to mitigate risks associated with these vulnerabilities.