CVE-2023-45498
published 2023-10-27CVE-2023-45498: VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
20.48%
97.2th percentile
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vinchin | vinchin_backup_and_recovery | 5.0 – 7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting the checkIpExists API endpoint for shell metacharacters or command injection payloads (e.g., semicolons, pipes, backticks, $() constructs) in input parameters. ↗
- →Alert on unexpected OS-level command execution spawned by the VinChin web server process, which may indicate successful exploitation of CVE-2023-45498. ↗
- →Scope detection to VinChin Backup & Recovery versions v5.0.*, v6.0.*, v6.7.*, and v7.0.* — these are the confirmed vulnerable version ranges. ↗
- ·The Metasploit module targets the Linux HTTP service of VinChin Backup & Recovery; exploitation context is limited to the web server user privilege level — post-exploitation privilege escalation steps are not described in the available sources. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/175397/VinChin-VMWare-Backup-7.0-Hardcoded-Credential-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/176289/Vinchin-Backup-And-Recovery-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2023/Oct/31https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/http://packetstormsecurity.com/files/175397/VinChin-VMWare-Backup-7.0-Hardcoded-Credential-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/176289/Vinchin-Backup-And-Recovery-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2023/Oct/31https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/
2023-10-27
Published