CVE-2024-29212

Due to an  unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
hackeroneCNA
9.9 CRITICAL
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
veeamveeam_service_provider_console
𝑥
< 7.0.0.19551
veeamveeam_service_provider_console
8.0.0.18054 ≤
𝑥
< 8.0.0.19552
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.veeam.com/kb4575
https://www.veeam.com/kb4575