December 13 Advisory: Veeam Service Provider Console RCE [CVE-2024-42448]

Date of Disclosure: December 3, 2024

CVE-2024-42448 is an RCE vulnerability in the Veeam Service Provider Console (VSPC). From the VSCP management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform RCE on the VSPC server machine. This vulnerability is currently awaiting analysis in the NVD. 

CVE-2024-42448 was not observed to be actively exploited at the time of writing, but threat actors have historically targeted Veeam exploits to spread Akira and Fog Ransomware. 

Censys Perspective

At the time of writing, Censys observed 1,006 exposed VSPC instances online. A large proportion of these (49%) are geolocated in Turkey. SunExpress, a Turkish airline, uses Veeam solutions for data protection and disaster recovery, which may explain the heavy concentration of instances observed in Turkey. 

Censys observed about 49% of the exposed instances to be associated with Turkcell Superonline (ASN 34984), a telecommunications provider in Turkey. Note that not all instances observed are vulnerable as we do not have specific versions available.

Map of Exposed VSPC Instances:

Censys Search Query:

services.software: (vendor="Veeam" and product="Service Provider Console") or services.http.response.html_title="Veeam Service Provider Console" and not labels: {honeypot, tarpit}

Censys ASM Query:

(host.services.software.vendor = "Veeam" and host.services.software.product = "Service Provider Console") or host.services.http.response.html_title="Veeam Service Provider Console" and not host.labels: {honeypot, tarpit}

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-42448
• https://www.veeam.com/kb4464
• https://www.veeam.com/kb4651
• https://www.veeam.com/resources/customer-stories/sun-express.html
• https://thehackernews.com/2024/10/critical-veeam-vulnerability-exploited.html