Cybersecurity firm Positive Technologies has identified and helped resolve a server-side request forgery (SSRF) vulnerability in Veeam Service Provider Console, a platform widely used for backup and disaster recovery management. The flaw, tracked as CVE-2024-45206, could have allowed attackers to send unauthorized requests on behalf of the server, potentially exposing internal corporate networks.
“This vulnerability posed a risk to large enterprises,” said Nikita Petrov, Senior Penetration Testing Specialist at Positive Technologies.
The vulnerability, which had a CVSS severity score of 6.5, was discovered by Nikita Petrov, a security expert from PT SWARM, Positive Technologies’ research division. Veeam Software was notified in line with responsible disclosure policies and has since released a security patch to fix the issue.
The flaw affected versions 7.x through 8.0.x of the Veeam Service Provider Console, and before the patch was issued, over 2,500 vulnerable systems were identified globally. The United States, Türkiye, Germany, and the UK were among the most affected regions. Veeam solutions are used by more than 550,000 customers, including 74% of Forbes Global 2000 companies, making timely mitigation crucial.
This is not the first time Positive Technologies has helped identify vulnerabilities in Veeam Software’s products. In 2022, the firm found critical flaws in Veeam Backup & Replication and Veeam Agent for Microsoft Windows.
To prevent similar security risks, Positive Technologies recommends that organizations implement web application firewalls (WAFs), static code analysis tools, and network traffic analysis solutions to detect and mitigate threats.
