Positive Technologies helps fix a vulnerability in Veeam Service Provider Console - Middle East Business News and Information
The server-side request forgery (SSRF) vulnerability could be used for attacks on internal corporate networks
Backup solutions vendor Veeam Software eliminated a vulnerability in Veeam Service Provider Console, a management platform used by backup and disaster recovery service providers. The security flaw CVE-2024-45206 (BDU:2024-1170) was discovered by PT SWARM expert Nikita Petrov. The vendor was notified of the threat in line with the responsible disclosure policy and has already released a software patch.
The SSRF vulnerability, rated 6.5 on the CVSS 3.0 scale, affected versions 7.x through 8.0.x. When exploited, this vulnerability could hypothetically expose companies to attacks on internal networks, since it allowed an attacker to send arbitrary HTTP requests to external or internal resources on behalf of the server. To address the vulnerability, users should promptly update to Veeam Service Provider Console version 8.1.0.21377 or later.
According to the vendor , Veeam solutions are used by more than 550,000 customers from different countries, including 74% of Forbes Global 2000 companies. According to publicly available search engines, the list of the most active users of Veeam products is headed by the United States, Germany, and France, while UAE ranks 32nd. Veeam has the largest market share among global data replication and protection software vendors and has been named a leader in Gartner's Magic Quadrant for Enterprise Backup and Recovery Software Solutions report for eight years in a row.
Veeam Service Provider Console could potentially be attacked directly from the web. As of January 2025, open-source data indicated that there were 2587 vulnerable systems worldwide. The majority of installations are in the United States (26%), Türkiye (20%), Germany and Great Britain (6% each), Canada and France (5% each).
'Before the patch was released, the vulnerability primarily posed a risk to large enterprise segment companies—the main users of Veeam Service Provider Console,' said Nikita Petrov, a Senior Penetration Testing Specialist in the Security Analysis Department, Positive Technologies. 'Attackers could initiate a request from the server to a resource that is not accessible from the outside and gain the ability to interact with it. This would allow them to obtain information about the victim's network infrastructure and thus simplify the implementation and subsequent development of attacks. For example, one possible consequence of the penetration could be the exploitation of vulnerabilities present in internal systems.'
This is not the first vulnerability in Veeam Software products that Positive Technologies experts have helped to fix. In 2022, Nikita Petrov discovered two security flaws at once in Veeam Backup & Replication, a popular backup system for automating backup and disaster recovery. Another flaw was discovered in Veeam Agent for Microsoft Windows, a Windows data backup software.
To block attempts to exploit SSRF vulnerabilities, Positive Technologies recommends using advanced security solutions, including web application firewalls like PT Application Firewall (also available in the cloud version: PT Cloud Application Firewall). A firewall allows you to protect applications without making changes to them when a company is unable to install a patch released by the vendor. To detect vulnerabilities of this type during software development, you should use a static code analyzer like PT Application Inspector . In addition, NTA solutions, such as PT Network Attack Discovery (PT NAD) , and network traffic analysis tools, like PT NGFW , will help you promptly detect attempts to exploit vulnerabilities within your company's network perimeter. NGFWs go beyond merely detecting exploitation attempts—they prevent them by using an IPS module.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Mid East Info
a day ago
- Mid East Info
Positive Technologies identifies key cyberthreats for financial companies in 2025–2026 - Middle East Business News and Information
Positive Technologies has outlined the major cyberthreats that the financial sector may face in the coming years. These include ransomware attacks, malicious use of QR codes, exploitation of API vulnerabilities, DDoS campaigns, and attacks targeting suppliers and partners. These conclusions are based on the company's analysis of security incidents and publicly available data concerning threats to banks and other financial institutions. The financial sector remains one of the top five most targeted industries by cybercriminals, according to Positive Technologies data for the period from 2024 to Q1 2025. In 67% of successful cyberattacks, attackers stole data and used it to blackmail victims by threatening to delete or expose the information. Another 26% of incidents caused operational disruptions, while 5% resulted in financial theft. Social engineering was used in 57% of successful cyberattacks on financial organizations in 2024. Positive Technologies analysts predict that such incidents will continue to rise as cybercriminals leverage the generative capabilities of artificial intelligence (AI) to craft convincing phishing emails. On the defensive side, security teams are also expected to use AI to detect AI-generated malicious content. The growing use of application programming interfaces (APIs) poses significant risks. Without adequate security measures, APIs could become an entry point for cybercriminals. This risk is exacerbated by the proliferation of shadow APIs, which often lack proper protection, and the widespread adoption of AI in the financial sector. According to a report by Wallarm, the number of vulnerable AI-enabled APIs increased tenfold in 2024. Another key cyberthreat in 2025–2026 will be the growing number of attacks on contractors and suppliers. Cybercriminals are likely to target less secure partners to gain access to larger financial organizations. Small and medium-sized businesses may also be affected, especially if attackers fail to reach their main targets. Roman Reznikov, Cybersecurity Research Analyst at Positive Technologies, says: 'Cybercriminals continue to exploit legitimate and widely used tools in fraudulent schemes. For example, attacks involving QR codes have become more frequent. Hackers replace legitimate QR codes with malicious ones in public spaces and bypass email security by taking advantage of the difficulty in detecting QR codes within messages. In the future, we may see malware capable of altering QR codes directly on device screens during payment. That's why it's important to be careful with QR codes and avoid scanning ones from unknown or suspicious sources. At the same time, defensive measures are evolving too. For instance, a company can protect itself from emails containing malicious QR codes by using PT Sandbox, which identifies QR codes in email images and attachments, extracts the embedded links, and checks them for malicious activity.' The access-as-a-service market presents another serious challenge. Positive Technologies reports that nearly 9% of dark web listings for access sales are related to the financial sector. This market is expected to grow as new technologies lower the barriers to entry into cybercrime. Inexperienced attackers may sell discovered access points to more skilled cybercriminals. Ransomware attacks are also projected to increase. Cybercriminals have begun demanding ransoms lower than the potential fines for data breaches. Analysts anticipate this tactic will become more common in countries with turnover-based fines such as Russia, Brazil, and China. DDoS campaigns will continue to pose a significant threat to the financial sector in 2025. Hackers are expected to create massive botnets of compromised IoT devices and use AI to launch adaptive attacks that respond to victims' countermeasures. To protect against these evolving threats, financial organizations must adopt a comprehensive cybersecurity strategy built on advanced tools, including: next-generation firewalls (NGFWs) like PT NGFW to prevent cyberattacks and enforce security policies; web application firewalls (WAFs) such as PT Application Firewall for detecting and blocking attacks, including threats from the OWASP Top 10 list; SIEM systems, including tools like MaxPatrol SIEM, to identify malicious activity across infrastructure and endpoints, integrated with EDR solutions like MaxPatrol EDR. In addition, sandboxes (such as PT Sandbox) and NTA or NDR systems (like PT NAD) should be used to protect against malware and detect hacker movement within the network.
Mid East Info
28-05-2025
- Mid East Info
Olive Gaea and Blue Gecko Consulting Announce Strategic Partnership to Accelerate Climate Action and Sustainability Communication
Climate-Tech leader Olive Gaea and award-winning sustainability communications agency Blue Gecko Consulting have announced a strategic partnership to help businesses across the GCC and beyond achieve sustainability goals and communicate their progress with purpose and clarity. The partnership combines Olive Gaea's powerful technology and climate strategy expertise with Blue Gecko's deep communications know-how—offering companies an end-to-end solution to manage ESG performance, measure, reduce, and abate emissions, while engaging stakeholders through compelling sustainability storytelling. A Full-Service Solution for Real Climate Impact At the core of the collaboration is Zero, Olive Gaea's AI-powered SaaS platform designed to simplify carbon accounting and ESG reporting. Zero automates emissions data collection across all three scopes, analyzes data to provide AI-generated Net Zero pathways, and offers carbon offsetting options and ESG disclosures aligned with international standards. Meanwhile, Blue Gecko brings over a decade of experience working with clients in the GCC to translate complex ESG strategies into narratives that resonate. Ranked among the Top 10 Sustainability Communications Consulting Companies in the GCC, Blue Gecko specializes in humanizing ESG data by telling the stories of people and communities positively impacted and embedding sustainability narratives across all communication channels for consistency. 'Together, we offer a complete package – from strategy to storytelling,' said Vivek Tripathi, Co-Founder and CEO of Olive Gaea. 'Zero by Olive Gaea is designed to make decarbonization and ESG leadership effortless and achievable. Businesses don't just need to act on climate—they need to show how and why it matters. That's where Blue Gecko's storytelling expertise is invaluable.' 'Innovative companies like Olive Gaea are pivotal in helping companies define and refine their sustainability objectives and set clear roadmaps toward ambitious targets. But they need us to complete the circle. We work alongside them to understand a company's sustainability goals and intended impact—allowing us to shape a meaningful narrative that extends from internal communications all the way through to stakeholder communications,' added Michelle Ponto, Founder and Managing Director, Blue Gecko Consulting. A Timely Solution for a Changing Regulatory Landscape This partnership comes at a pivotal time. With the introduction of UAE's Federal Decree-Law No. 11/2024, effective May 30, 2025, and the Cabinet Resolution 67/2024 which comes into effect in Jan 2026, companies will face greater responsibility and opportunity to contribute to the country's Net Zero 2050 goals. The new mandates aim to drive effective emissions management nationwide, bolster the UAE's contribution to global climate goals, and spur innovation and research to elevate the private sector's role in advancing sustainability. Olive Gaea and Blue Gecko are uniquely positioned to support companies navigating this shift—by providing both the tools to act and the communications strategies to showcase impact.
Mid East Info
19-05-2025
- Mid East Info
AUS engineering undergraduate uncovers critical security flaw in Python library, PyCel - Middle East Business News and Information
Adham Elmosalamy, a computer science and engineering student from the College of Engineering at American University of Sharjah (AUS), recently discovered a critical security vulnerability in PyCel, an open-source Python library used to process Excel files. The vulnerability has since been officially added to the global Common Vulnerabilities and Exposures (CVE) database maintained by the US-based MITRE Corporation, a not-for-profit organization that plays a critical role in global cybersecurity. Most CVEs are reported by professional researchers, cybersecurity firms or PhD-level academics, which makes Elmosalamy's contribution particularly notable. 'This is a significant achievement that speaks to the quality of students we nurture at AUS,' said Dr. Fadi Aloul, Dean of CEN. 'Being assigned a CVE by MITRE is akin to earning a black belt in cybersecurity—a sign of exceptional skill. For an undergraduate to reach this level is remarkable. We are very proud of Elmosalamy's positive impact in the global cybersecurity domain.' Elmosalamy first identified the issue in November 2024 during an independent review of open-source libraries. Within days, he developed a proof-of-concept and submitted a detailed report to MITRE. MITRE then validated the findings and assigned the official CVE number CVE-2024-53924. This number is a standardized identifier that can be used by developers, software engineers and other professionals around the world to track and respond to publicly disclosed cybersecurity flaws in software. Elmosalamy's CVE-2024-53924 is known as a code execution vulnerability—one of the most severe types of software security risks. It affects users of PyCel who open untrusted Excel files, potentially allowing attackers to execute malicious code on their systems. It was assigned a CVSS severity score of 9.8/10, classifying it as 'critical' by the National Institute of Standards and Technology (NIST), which is responsible for evaluating and scoring CVEs through its National Vulnerability Database. Since assigning the CVE, MITRE has contacted the software vendors to fix the vulnerability. As of April 17, it began publicizing the issue to try to protect all users vulnerable to the software. 'This is my first CVE, which is very special to me. It's incredibly rewarding to see my knowledge applied in a way that contributes to securing our cyber infrastructure,' said Elmosalamy. 'This milestone reflects the many hours I've dedicated to learning and practicing cybersecurity, and I hope it encourages other students to explore this vital field. An AUS student first inspired me during my freshman year—someone whose passion left a lasting impression despite graduating that same semester. Since then, I've dedicated myself to creating a thriving cybersecurity community at AUS and competed in the Collegiate Penetration Testing Competition (CPTC) for three consecutive years. In 2022, I reached the finals in Rochester, New York. I later founded the Society of Cybersecurity (SOC) in 2023, through which I hosted 27 events over three semesters, from industry talks to bootcamps and an outreach workshop for high schoolers. Today, Elmosalamy is studying and AUS and working at CTFAE, a startup founded by AUS alumni, where he has built new products and helped organize major events, including the Guinness World Record-holding BlackHat Middle East cybersecurity conference in Riyadh. 'I'm deeply committed to establishing AUS as a regional leader in cybersecurity education, and I hope to see the university offer more specialized courses in areas like digital forensics, threat hunting and cryptography in future,' he said. Elmosalamy has published a technical explanation of his findings on GitHub, along with a video demonstration, to raise awareness among developers and end-users alike. CEN offers talented students a range of programs that prepare them for cutting-edge careers in technology and cybersecurity, including the Bachelor of Science in Computer Engineering, Bachelor of Science in Computer Science, Master of Science in Computer Engineering (MSCOE) and the PhD in Electrical and Computer Engineering (PhD-ECE). The college's programs equip students with a strong foundation in IT, engineering and cybersecurity, and give them a competitive edge by incorporating emerging topics such as AI and machine learning—part of the college's recent CEN 2.0 curriculum enhancements. About AUS: American University of Sharjah (AUS) was founded in 1997 by His Highness Sheikh Dr. Sultan Bin Muhammad Al Qasimi, Member of the Supreme Council of the United Arab Emirates and Ruler of Sharjah. Sheikh Sultan articulated his vision of a distinctive institution against the backdrop of Islamic history and in the context of the aspirations and needs of contemporary society in the UAE and the Gulf region. Firmly grounded in principles of meritocracy and with a strong reputation for academic excellence, AUS has come to represent the very best in teaching and research, accredited internationally and recognized by employers the world over for creating graduates equipped with the knowledge, skills and drive to lead in the 21st century. AUS values learners not driven only by academic success, but by those that embrace our dynamic campus life and embody our ideals of openness, tolerance and respect. This combination of academic excellence and community spirit ensures AUS is filled with world-class faculty and students, poised to become the innovators, thinkers, contributors and leaders of tomorrow.
