CVE-2024-25228

Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
vinchinvinchin_backup_and_recovery
𝑥
≤ 7.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/
https://seclists.org/fulldisclosure/2024/Mar/15
https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/
https://seclists.org/fulldisclosure/2024/Mar/15