Description
Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
CVSS Metrics
- Vector
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Attack Vector
- network
- Complexity
- low
- Privileges
- low
- User Action
- none
- Scope
- changed
- Confidentiality
- high
- Integrity
- high
- Availability
- high
- Weaknesses
- CWE-502
Metadata
- Primary Vendor
- VEEAM
- Published
- 5/14/2024
- Last Modified
- 6/30/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
veeam : veeam_service_provider_consoleveeam : veeam_service_provider_console
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.