Veeam Patches Critical Vulnerability in Service Provider Console
News Desk -
Share
Veeam Software has patched a critical security flaw in its Veeam Service Provider Console, a platform used by backup and disaster recovery service providers. The vulnerability, identified as CVE-2024-45206 (BDU:2024-1170), was discovered by Nikita Petrov, a Senior Penetration Testing Specialist at Positive Technologies' PT SWARM team.
Following responsible disclosure, Veeam quickly released a security patch to address the issue.
What Is the Vulnerability?
The flaw is an SSRF (Server-Side Request Forgery) vulnerability, rated 6.5 on the CVSS 3.0 scale. It affected Veeam Service Provider Console versions 7.x through 8.0.x.
If exploited, attackers could send arbitrary HTTP requests on behalf of the server. This could allow access to internal networks, exposing sensitive resources.
Who Is at Risk?
According to open-source data, as of January 2025, 2,587 systems worldwide remain vulnerable. The countries with the most exposed systems include:
United States (26%)
Türkiye (20%)
Germany & Great Britain (6% each)
Canada & France (5% each)
The flaw mainly affects large enterprises, which are the primary users of Veeam Service Provider Console.
Why Is This a Serious Threat?
Nikita Petrov explained that attackers could use this vulnerability to interact with internal systems. This could reveal network infrastructure details and lead to further attacks.
In 2022, Positive Technologies also discovered security flaws in Veeam Backup & Replication and Veeam Agent for Microsoft Windows.
What Should Users Do?
To protect against exploitation, Veeam recommends updating to version 8.1.0.21377 or later. Prompt action is essential to safeguard systems.
Positive Technologies also suggests using advanced security tools like:
Web Application Firewalls (WAF) – Such as PT Application Firewall, available both on-premises and in the cloud.
Static Code Analysis – Tools like PT Application Inspector to detect vulnerabilities during development.
Network Traffic Analysis (NTA) – Solutions like PT Network Attack Discovery (PT NAD) and PT NGFW with IPS modules to detect and block attacks.
Why This Matters
Veeam Software supports over 550,000 customers worldwide, including 74% of Forbes Global 2000 companies. The United States, Germany, and France lead in usage, while the UAE ranks 32nd.
Veeam also holds the largest market share in data replication and protection. For eight consecutive years, it has been recognized in Gartner's Magic Quadrant for Enterprise Backup and Recovery Software Solutions.
Take Action Now
Organizations using Veeam Service Provider Console should update their software immediately. Implementing additional security measures is also crucial to prevent future threats.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Channel Post MEA
11-08-2025
- Channel Post MEA
Scale Computing And Veeam Deliver Integrated Virtualization And Data Protection
Scale Computing has announced that Veeam Backup & Replication is officially delivering full agentless hypervisor backup for the Scale Computing Platform (SC//Platform) within the Veeam Data Platform. In April, the company announced its new strategic partnership with Veeam® Software, the #1 leader by market share in Data Resilience. The collaboration expands backup and recovery capabilities across Scale Computing's rapidly growing installed base of edge and core infrastructure deployments. Amid rising hypervisor prices and restrictive licensing following Broadcom's VMware acquisition, virtualization is undergoing a seismic shift. IT teams across industries are under mounting pressure to modernize infrastructure, while simultaneously managing costs, complexity, and risk. At the same time, remote and distributed edge environments, often run with limited resources, are presenting new challenges in operational efficiency and resilience. As IT teams everywhere are forced to rethink virtualization strategies, enterprises are increasingly seeking alternative solutions that are faster to deploy, easier to manage, and more cost-effective. The integration of Scale Computing's award-winning platform with Veeam's industry-leading data resilience meets these challenges head-on, delivering a simple and scalable solution. Modernize without lock-in and achieve true data portability Scale Computing and Veeam give IT teams true freedom of choice, enabling seamless workload migration and management across on-premises, edge, and cloud environments. Organizations can sidestep vendor lock-in, avoid escalating licensing fees, and optimize infrastructure spending as their needs evolve. This flexibility puts control back in the hands of IT, empowering enterprises to modernize and manage costs on their own terms, without compromise. 'Our partners and customers have long asked for deeper integration with Veeam, and we are thrilled to share that the new Veeam Plug-in for Scale Computing HyperCore is available with full Veeam support—ahead of schedule—and it's going to be a game-changer for users,' said Jeff Ready, President and Chief Marketing Officer of Scale Computing. 'Through our partnership, we're bringing together the reliability of Veeam's enterprise-grade backup and recovery and the simplicity and efficiency of SC//Platform. For partners and customers running workloads at the edge, in the datacenter, and anywhere in between, we're delivering fast, secure VM backups and simplified management with security, efficiency, and flexibility.' Veeam Backup & Replication with agentless hypervisor backup support for Scale Computing HyperCore offers a compelling solution for end customers and partners seeking simplified, secure, and scalable IT infrastructure, from the data center to the edge. For users looking to transition away from VMware, Scale Computing offers the industry's most efficient, scalable, and cost-effective virtualization platform – SC//Platform. With native integration into Veeam Data Platform, enterprises can take full advantage of Veeam's powerful data resilience, ransomware recovery, and workload mobility, ensuring business continuity across any environment. 'As organizations evolve their IT environments, Veeam and Scale Computing share a deep commitment to delivering infrastructure and data resilience that is both powerful and simple,' said Shiva Pillay, Senior Vice President and General Manager, Americas at Veeam. 'Through this partnership, we're eliminating complexity and reducing risk, empowering IT teams to protect and manage data seamlessly from edge to core. By integrating Veeam's industry-leading data resilience with Scale Computing's flexible, modern infrastructure, we're providing yet another secure approach to virtualization and backup – free from unnecessary complexity.'
Tahawul Tech
04-08-2025
- Tahawul Tech
Opinion: Veeam exec believes some organisations guilty of pulling the wool over their own eyes when it comes to data resilience
Tim Pfaelzer, Senior Vice President & General EMEA Manager at Veeam, has penned an op-ed, in which he states his belief that many organisations are guilting of fooling themselves when it comes to the strength of their own data resilience. For too long, business leaders have viewed their organization's data resilience from afar, relying on theoretical plans and a checklist mindset. This 2D perspective – where technical measures are simply ticked off a to-do list – fails to capture the full, real-world cross-organizational complexity of cyber threats. Ransomware, in particular, cannot be fully simulated on paper. This mentality has led to a dangerous false sense of security. Veeam research shows that more than 30% of organizations believe they are more resilient than they actually are. While they may have the right pieces in place, unless these elements work together in a rigorously tested, real-world incident response plan, they risk being exposed when a true crisis hits. With 69% of organizations having faced a ransomware threat in the past year, the time for blind confidence is over. Leaders must remove the wool from their eyes and take meaningful, proactive action. False Confidence, Real Consequences Data resilience can be deceptively complex, and gaps often remain hidden until it's too late. Many organizations fall into the trap of believing they are prepared, only to find out otherwise under attack. Of the organizations that fell victim to ransomware last year, 69% thought they were prepared beforehand. After experiencing an attack, confidence in their preparedness dropped by more than 20%. Although the majority of organizations had a ransomware playbook, less than half included essential technical components such as backup copies and containment or isolation plans. On the surface, everything may have appeared in order – but a closer inspection revealed significant vulnerabilities. The consequences of misplaced confidence are severe. Only 10.5% of organizations were able to successfully recover following a ransomware attack last year, leading to major business and operational impacts. The recent M&S ransomware incident is a high-profile example, causing not only service outages for customers but also an estimated £300 million hit to trading profits. The Evolving Threat Landscape Some organizations may have hoped that the disruption of major ransomware groups like BlackCat and LockBit by law enforcement would make the threat landscape easier to navigate. In reality, the threat has not diminished – it has evolved. Smaller groups and 'lone wolves' have quickly filled the gap, bringing new methods and tactics that further challenge organizational resilience. From 2D to 3D: The Path to True Resilience Regardless of how confident an organization may be in its data resilience, a deeper, more critical examination of its ransomware playbooks is essential. It is no longer safe to assume that what works on paper will hold up under real-life duress. Leaders must move from a flat, 2D perspective to a dynamic, 3D approach. Start with the big picture: Do you know what data you need to protect and where it resides? Are the key resilience measures, such as a predefined chain of command and regular backup verifications, in place? Drill down further: Are your security teams up to date on the latest attack trends? With 89% of organizations reporting their backup repositories targeted by threat actors, ensuring redundancy for your backups is now critical. Plugging the gaps is only the beginning. Organizations must stress-test their incident response plans with real-world simulations. It's not enough to rely on plan A – test plans B, C, D, and beyond, including scenarios where critical staff are unavailable or multiple crises occur simultaneously. This process often exposes blind spots that would go unnoticed in a theoretical plan. Turning Confidence Into Capability Leveraging frameworks like the Veeam Data Resilience Maturity Model (DRMM), developed in partnership with McKinsey, can help organizations move beyond blind confidence. Our findings show that organizations with a high degree of data maturity recover from ransomware incidents seven times faster than their less mature counterparts, and experience three times less downtime. By taking control of data resilience – grounded in rigorous testing, continuous improvement, and collective intelligence – organizations can replace blind confidence with real capability. In the current threat landscape, it's not a question of 'if' your organization will be attacked, but 'when'. The best time to prepare is now – because in data resilience, only true readiness will make the difference.
Campaign ME
24-07-2025
- Campaign ME
AI in corporate affairs: Reputation at the speed of conflict
Driving into the office, I caught the Business Breakfast on Dubai Eye. The topic: a sophisticated SharePoint vulnerability exploited by China-linked state actors, targeting critical infrastructure in the US and Germany. The story hit close to home for several reasons. At KROHNE, like many industrial firms, we're heavily reliant on SharePoint — and in the Middle East, we still operate with physical servers rather than cloud. While this particular breach didn't trigger a media frenzy or reputational fallout, the technical expert being interviewed made a key point that stayed with me: AI was used to both accelerate the attack and drive the defence. This is exactly the position corporate affairs teams now find themselves in. Whether it's a cyber incident or a reputational one, AI is collapsing the timeline — and redefining the rules. Reputation and cybersecurity now share the same clock The SharePoint exploit (CVE-2025-49704 and 49706) wasn't about PR. It was about exfiltrating cryptographic keys, embedding backdoors, and quietly probing networks. But had there been a secondary reputational vector — say, falsified press statements or synthetic media targeting stakeholders — the consequences would have unfolded in real time. In today's environment, it's not just what happens — it's how fast your team knows, responds, and resets the narrative. That's the shift. Reputation used to be shaped over time. Now it's shaped in minutes — by algorithms, automated feeds, and sentiment at scale. AI can hurt you — and help you recover In the wrong hands, AI can generate fake stakeholder letters, deepfake video statements, or bots impersonating customers and employees. None of this is hypothetical anymore. But AI can also flag anomalies faster than any analyst, monitor global sentiment in real time, and triage which reputational risks need human escalation. We're entering an era where reputation management is no longer about being reactive. It's about being ready. Corporate affairs needs tools that talk to each other Reputation protection is now a team sport — and your comms, legal, and IT functions need shared systems that work at machine speed. You can't respond to an AI-generated crisis with manual workflows or defend your CEO's credibility with a three-day press release process. And you can't monitor reputation in real time if your data sits in silos. This isn't about new platforms. It's about interoperability, trust, and readiness. Three moves to future-proof your reputation function Scenario-train for AI-infused narrative risks Crisis simulations often focus on operational impact — downtime, customer data, supply chain disruption. Now is the time to build in parallel simulations around reputational attack vectors: What if a deepfake CEO video surfaces at 5pm on a Friday? What if AI-generated emails claim your company is withdrawing from a market or cutting staff? Your legal and communications teams need to be rehearsed, resourced, and empowered to act on gut and data — not wait for permission. Fuse legal, communications, and digital intelligence Narrative risk doesn't sit neatly in one department. AI-generated misinformation might start as a social media post, but it quickly becomes a compliance issue, a market signal, and a legal minefield. Companies that respond effectively will be those that build cross-functional fluency and fast-track decisions between legal, corporate affairs, and digital monitoring teams. Invest in an AI-powered reputation audit now — before it's reactive Map how your organisation uses AI in customer-facing roles, where your reputational exposure lies across platforms and geographies, and which tools can give you early warning when sentiment shifts. Think of it as a reputational telemetry system: always-on, integrated, and geared for action. The SharePoint breach didn't cause reputational damage, at least as far as we can se — but it could have. The difference wasn't just security posture. It was speed, readiness, and system-level awareness. In reputational terms, AI is no longer the future — it's the terrain. The companies that come through the next wave of shocks intact won't be the ones with the most polished messaging. They'll be the ones who saw the signal first, acted fast, and had the internal fluency to respond with clarity, not chaos. The question isn't whether you'll face a machine-speed narrative threat. It's whether you'll be ready to respond at the same pace — or faster. By Jonathan Ashton, Head of Marketing and Communications, KROHNE Middle East and Africa
