CVE-2024-29212

CRITICAL

Veeam Service Provider Console - RCE

Title source: llm

Description

Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.

References (1)

[Vendor Advisory] https://www.veeam.com/kb4575

Scores

CVSS v3 9.9

EPSS 0.2966

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

veeam/veeam_service_provider_console < 7.0.0.19551

Timeline

Published May 14, 2024

Tracked Since Feb 18, 2026