Home > Security Bulletins > Veeam Service Provider Remote Code Execution (CVE-2024-29212)

Veeam Service Provider Remote Code Execution (CVE-2024-29212)

Request an audit
data classification organizer

8th May 2024

Introduction

Veeam has confirmed a remote code execution vulnerability in Veeam Service Provider Console.

CVE-2024-29212 (CVSS: 8.8 [High]) is caused by an unsafe deserialization method used by the Veeam Service Provider Console server in communication between the management agent and its components. Under certain conditions, remote code execution is possible on the server.

Veeam Service Provider Console is used by Managed Service Providers and companies for backup and disaster recovery services.

The vulnerability was discovered during internal testing by Veeam and patches have been released. We hope this means that the impact will be negligible.

Affected Products

Versions 4.x, 5.x, 6.x, 7.x and 8.x are affected.

Patches

Veeam Service Provider Console 7.0.0.18899

Veeam Service Provider Console 8.0.0.19236

We recommend any users not on 7.0/8.0 to upgrade immediately as it appears that previous versions will not be patched.