CVE-2024-29212
CVE-2024-29212
In short
Veeam Service Provider Console has a critical flaw in how it processes data from its management components, allowing attackers to run malicious code directly on the server machine.
Technical detail
The vulnerability stems from unsafe deserialization (CWE-502) in VSPC server's inter-component communication protocol. Under specific conditions, an attacker with network access to the management agent channel can inject malicious serialized objects, leading to unauthenticated Remote Code Execution with server-level privileges.
Summary generated and translated by AI from the official description.
Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
Veeam · Service Provider ConsoleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.veeam.com/kb4575