Backup solutions vendor Veeam Software eliminated a vulnerability in Veeam Service Provider Console, a management platform used by backup and disaster recovery service providers. The security flaw CVE-2024-45206 (BDU:2024-1170) was discovered by PT SWARM expert Nikita Petrov. The vendor was notified of the threat in line with the responsible disclosure policy and has already released a software patch.

The SSRF vulnerability, rated 6.5 on the CVSS 3.0 scale, affected versions 7.x through 8.0.x. When exploited, this vulnerability could hypothetically expose companies to attacks on internal networks, since it allowed an attacker to send arbitrary HTTP requests to external or internal resources on behalf of the server. To address the vulnerability, users should promptly update to Veeam Service Provider Console version 8.1.0.21377 or later.

According to the vendor, Veeam solutions are used by more than 550,000 customers from different countries, including 74% of Forbes Global 2000 companies. According to publicly available search engines, the list of the most active users of Veeam products is headed by the United States, Germany, and France, while UAE ranks 32nd. Veeam has the largest market share among global data replication and protection software vendors and has been named a leader in Gartner's Magic Quadrant for Enterprise Backup and Recovery Software Solutions[1] report for eight years in a row.

Veeam Service Provider Console could potentially be attacked directly from the web. As of January 2025, open-source data indicated that there were 2587 vulnerable systems worldwide. The majority of installations are in the United States (26%), Türkiye (20%), Germany and Great Britain (6% each), Canada and France (5% each).

"Before the patch was released, the vulnerability primarily posed a risk to large enterprise segment companies—the main users of Veeam Service Provider Console," said Nikita Petrov, a Senior Penetration Testing Specialist in the Security Analysis Department, Positive Technologies. "Attackers could initiate a request from the server to a resource that is not accessible from the outside and gain the ability to interact with it. This would allow them to obtain information about the victim's network infrastructure and thus simplify the implementation and subsequent development of attacks. For example, one possible consequence of the penetration could be the exploitation of vulnerabilities present in internal systems."

This is not the first vulnerability in Veeam Software products that Positive Technologies experts have helped to fix. In 2022, Nikita Petrov discovered two security flaws at once in Veeam Backup & Replication, a popular backup system for automating backup and disaster recovery. Another flaw was discovered in Veeam Agent for Microsoft Windows, a Windows data backup software.

To block attempts to exploit SSRF vulnerabilities, Positive Technologies recommends using advanced security solutions, including web application firewalls like PT Application Firewall (also available in the cloud version: PT Cloud Application Firewall). A firewall allows you to protect applications without making changes to them when a company is unable to install a patch released by the vendor. To detect vulnerabilities of this type during software development, you should use a static code analyzer like PT Application Inspector. In addition, NTA solutions, such as PT Network Attack Discovery (PT NAD), and network traffic analysis tools, like PT NGFW, will help you promptly detect attempts to exploit vulnerabilities within your company's network perimeter. NGFWs go beyond merely detecting exploitation attempts—they prevent them by using an IPS module.

Positive Technologies is an industry leader in results-oriented cybersecurity and a major global provider of information security solutions. Our mission is to safeguard businesses and entire industries against cyberattacks and non-tolerable damage. Over 4,000 organizations worldwide use technologies and services developed by our company.

Positive Technologies is the first and only cybersecurity company in Russia to have gone public on the Moscow Exchange (MOEX: POSI), with 205,000 shareholders and counting.