cbcvebase.
CVE-2023-45498
published 2023-10-27

CVE-2023-45498: VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
20.48%
97.2th percentile
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
vinchinvinchin_backup_and_recovery5.0 – 7.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/v2/system/checkIpExists
  • Monitor HTTP requests targeting the checkIpExists API endpoint for shell metacharacters or command injection payloads (e.g., semicolons, pipes, backticks, $() constructs) in input parameters.
  • Alert on unexpected OS-level command execution spawned by the VinChin web server process, which may indicate successful exploitation of CVE-2023-45498.
  • Scope detection to VinChin Backup & Recovery versions v5.0.*, v6.0.*, v6.7.*, and v7.0.* — these are the confirmed vulnerable version ranges.
  • ·The Metasploit module targets the Linux HTTP service of VinChin Backup & Recovery; exploitation context is limited to the web server user privilege level — post-exploitation privilege escalation steps are not described in the available sources.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.