CVE-2024-29212

Name of the Vulnerable Software and Affected Versions Veeam Service Provider Console versions 4.0 through 8.0

Description The issue is due to an unsafe de-serialization method used by the Veeam Service Provider Console server in communication between the management agent and its components. This allows for Remote Code Execution (RCE) on the VSPC server machine under certain conditions. The estimated number of potentially affected devices worldwide is over 9,000. There is a risk of system compromise and data leakage. No exploits have been reported yet.

Recommendations For versions 4.0 through 8.0, patch the systems as soon as possible to resolve the issue. As a temporary workaround, consider restricting access to the management agent and its components to minimize the risk of exploitation. Avoid using any potentially vulnerable functions or parameters in the affected API endpoints until the issue is resolved.