Veeam Software has reported a "critical flaw" in its service provider console, and is urging MSPs to update their systems to avoid hacks of their customers' data.
Due to an "unsafe" deserialisation method used by the Veeam Service Provider Console (VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
The vulnerability was detected during internal testing, said Veeam.
The vulnerability was fixed in these builds of Veeam Service Provider Console: Veeam Service Provider Console 7.0.0.18899, and Veeam Service Provider Console 8.0.0.19236.
"We encourage service providers using supported versions of Veeam Service Provider Console (versions 7 & 8) to update to the latest cumulative patch," said Veeam. "Service providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console."
