CVE-2024-29212

Published: May 14, 2024Modified: Jun 30, 2025

9.9

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.1 / Impact: 6.0

Source: support@hackerone.com (Secondary)

Description

Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.

Affected (2)

Products: Veeam: Veeam Service Provider Console

1 product

Veeam Service Provider Console

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Veeam Veeam Service Provider Console	Before 7.0.0.19551
Veeam Veeam Service Provider Console	From 8.0.0.18054 to 8.0.0.19552

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (2)

https://www.veeam.com/kb4575

Source: support@hackerone.com

Vendor Advisory

https://www.veeam.com/kb4575

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.