CVE-2023-45498
Published: 27 October 2023
Summary
CVE-2023-45498 is a critical-severity Command Injection (CWE-77) vulnerability in Vinchin Vinchin Backup And Recovery. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
VinChin Backup & Recovery versions 5.0.*, 6.0.*, 6.7.*, and 7.0.* contain a command injection vulnerability tracked as CVE-2023-45498. The flaw is classified under CWE-77 and carries a CVSS 3.1 base score of 9.8, reflecting a network-accessible attack that requires no authentication or user interaction and can impact confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply crafted input that results in arbitrary command execution on the affected backup server. Public exploit material demonstrates that successful exploitation yields full system control, including the ability to leverage related issues such as hardcoded credentials to chain into remote code execution.
The listed references consist of detailed public disclosures on PacketStorm, Seclists, and a technical write-up from Leakix that include proof-of-concept code for the command injection and associated RCE chain. No vendor advisory or patch information is provided in the available references. The EPSS score stands at a current and peak value of 0.7946, indicating elevated exploitation likelihood with public exploits released near the October 2023 disclosure date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-49790
Vulnerability details
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.