cbcvebase.
CVE-2023-45499
published 2023-10-27

CVE-2023-45499: VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.89%
94.0th percentile
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.

Affected

1 ranges
VendorProductVersion rangeFixed in
vinchinvinchin_backup_and_recovery5.0 – 7.0

Detection & IOCsextracted from sources · hover to see the quote

url/checkIpExists
  • Monitor HTTP requests targeting the checkIpExists API endpoint for shell metacharacters or command injection payloads in input parameters, as this endpoint performs insufficient input validation.
  • Alert on use of hardcoded credentials against VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* login interfaces, as these versions contain known hardcoded credentials that may be leveraged for initial access.
  • Detect exploitation attempts via the Metasploit module exploits/linux/http/vinchin_backup_recovery_cmd_inject targeting VinChin Backup & Recovery HTTP services.
  • ·Hardcoded credentials affect all listed version branches (v5.0.*, v6.0.*, v6.7.*, v7.0.*); any deployment of these versions should be treated as compromised by default until patched or mitigated.
  • ·Command injection is exploitable as the web server user; post-exploitation privilege escalation may follow. Scope of impact is not limited to data exfiltration — arbitrary OS command execution is possible.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.