Veeam has issued security updates for its Service Provider Console (VSPC) to address two critical vulnerabilities: CVE-2024-42448 (CVSS 9.9), enabling remote code execution (RCE) from an authorized management agent, and CVE-2024-42449 (CVSS 7.1), which could leak NTLM hashes and allow file deletion. These flaws affect VSPC version 8.1.0.21377 and all earlier builds of versions 7 and 8, with fixes available in version 8.1.0.21999. As there are no mitigations, Veeam urges users to upgrade immediately to prevent potential exploitation, including ransomware deployment.

‍