CVE-2023-45499
published 2023-10-27CVE-2023-45499: VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.89%
94.0th percentile
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vinchin | vinchin_backup_and_recovery | 5.0 – 7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting the checkIpExists API endpoint for shell metacharacters or command injection payloads in input parameters, as this endpoint performs insufficient input validation. ↗
- →Alert on use of hardcoded credentials against VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* login interfaces, as these versions contain known hardcoded credentials that may be leveraged for initial access. ↗
- →Detect exploitation attempts via the Metasploit module exploits/linux/http/vinchin_backup_recovery_cmd_inject targeting VinChin Backup & Recovery HTTP services. ↗
- ·Hardcoded credentials affect all listed version branches (v5.0.*, v6.0.*, v6.7.*, v7.0.*); any deployment of these versions should be treated as compromised by default until patched or mitigated. ↗
- ·Command injection is exploitable as the web server user; post-exploitation privilege escalation may follow. Scope of impact is not limited to data exfiltration — arbitrary OS command execution is possible. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/175397/VinChin-VMWare-Backup-7.0-Hardcoded-Credential-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/176289/Vinchin-Backup-And-Recovery-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2023/Oct/31https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/http://packetstormsecurity.com/files/175397/VinChin-VMWare-Backup-7.0-Hardcoded-Credential-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/176289/Vinchin-Backup-And-Recovery-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2023/Oct/31https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/
2023-10-27
Published