Cyber Resilience

CVE-2023-45498

CriticalPublic PoCRCE

Published: 27 October 2023

Published
27 October 2023
Modified
12 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7946 99.1th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-45498 is a critical-severity Command Injection (CWE-77) vulnerability in Vinchin Vinchin Backup And Recovery. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

VinChin Backup & Recovery versions 5.0.*, 6.0.*, 6.7.*, and 7.0.* contain a command injection vulnerability tracked as CVE-2023-45498. The flaw is classified under CWE-77 and carries a CVSS 3.1 base score of 9.8, reflecting a network-accessible attack that requires no authentication or user interaction and can impact confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted input that results in arbitrary command execution on the affected backup server. Public exploit material demonstrates that successful exploitation yields full system control, including the ability to leverage related issues such as hardcoded credentials to chain into remote code execution.

The listed references consist of detailed public disclosures on PacketStorm, Seclists, and a technical write-up from Leakix that include proof-of-concept code for the command injection and associated RCE chain. No vendor advisory or patch information is provided in the available references. The EPSS score stands at a current and peak value of 0.7946, indicating elevated exploitation likelihood with public exploits released near the October 2023 disclosure date.

EU & UK References

Vulnerability details

VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vinchin
vinchin backup and recovery
5.0 — 7.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References