CVE-2024-39206
📋 TL;DR
MSP360 Backup Agent versions 7.8.5.15 and 7.9.4.84 store network share credentials in an encrypted file (enginesettings.list) using a hard-coded encryption key. Attackers who gain access to this file can decrypt it to obtain credentials for network shares used in backups. Organizations using these vulnerable versions are affected.
💻 Affected Systems
- MSP360 Backup Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain domain administrator or privileged service account credentials from backup configurations, leading to lateral movement, data exfiltration, or ransomware deployment across the network.
Likely Case
Attackers with local access or who compromise the backup server extract network share credentials, potentially gaining access to sensitive file shares and backup repositories.
If Mitigated
With proper network segmentation and credential isolation, impact is limited to the backup system itself without exposing critical domain credentials.
🎯 Exploit Status
Exploitation requires read access to the enginesettings.list file. The hard-coded key is publicly documented in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.9.5.85 or later
Vendor Advisory: https://www.msp360.com/resources/blog/security-advisory-cve-2024-39206/
Restart Required: Yes
Instructions:
1. Download MSP360 Backup Agent version 7.9.5.85 or later from the official website. 2. Run the installer to upgrade. 3. Restart the backup service or reboot the system. 4. Verify the enginesettings.list file is now encrypted with a unique key.
🔧 Temporary Workarounds
Restrict file access
windowsSet strict permissions on enginesettings.list to prevent unauthorized read access.
icacls "C:\Program Files\MSP360\Backup Agent\enginesettings.list" /inheritance:r /grant:r "SYSTEM:(F)" "Administrators:(F)" /deny "Users:(R)"
icacls "C:\Program Files (x86)\MSP360\Backup Agent\enginesettings.list" /inheritance:r /grant:r "SYSTEM:(F)" "Administrators:(F)" /deny "Users:(R)"
Use service accounts with minimal privileges
allConfigure backup jobs to use dedicated service accounts with only necessary permissions to network shares.
🧯 If You Can't Patch
- Implement strict access controls on the backup server and enginesettings.list file to prevent unauthorized access.
- Monitor for unusual access to the enginesettings.list file or backup configuration directories.
🔍 How to Verify
Check if Vulnerable:
Check if enginesettings.list exists in MSP360 installation directory and verify the installed version is 7.8.5.15 or 7.9.4.84.Check Version:
Check Help > About in MSP360 Backup Agent GUI or examine the installed program version in Windows Programs and Features.Verify Fix Applied:
After patching, confirm the installed version is 7.9.5.85 or later and that enginesettings.list uses unique encryption (file hash should differ between systems).📡 Detection & Monitoring
Log Indicators:
- Failed access attempts to enginesettings.list file
- Unusual process access to MSP360 configuration files
Network Indicators:
- Unexpected network connections from backup server to file shares using extracted credentials
SIEM Query:
EventID=4663 AND ObjectName LIKE '%enginesettings.list%' AND AccessMask=0x1