Remote Code Execution Vulnerability in VSPC Server via REST API
CVE-2024-39715

8.5HIGH

Key Information:

Vendor: Veeam
Status: Veeam Service Provider Console
Vendor: CVE Published:; 7 September 2024

What is CVE-2024-39715?

A code injection vulnerability exists in the VSPC server by Veeam, allowing low-privileged users with access to the REST API to upload arbitrary files. This flaw could enable an attacker to execute remote code on the VSPC server, potentially compromising the system and leading to unauthorized access or data manipulation. The vulnerability underscores the risks associated with insufficient input validation and access controls in REST API implementations.

Affected Version(s)

Veeam Service Provider Console 8

References

https://www.veeam.com/kb4649

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 7, 2024
Vulnerability Reserved
Jun 28, 2024