CVE-2024-25228
Published: 14 March 2024
Summary
CVE-2024-25228 is a high-severity Command Injection (CWE-77) vulnerability in Vinchin Vinchin Backup And Recovery. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Vinchin Backup and Recovery versions 7.2 and earlier contain an authenticated remote code execution vulnerability in the getVerifydiyResult function within ManoeuvreHandler.class.php. The flaw is tracked as CVE-2024-25228 with a CVSS 3.1 score of 8.8 and is associated with CWE-77 command injection. The affected component allows remote attackers to supply crafted input that is executed on the server when the function processes verification results.
An attacker who has obtained low-privileged authenticated access can exploit the issue over the network without user interaction. Successful exploitation grants the ability to execute arbitrary commands, resulting in full compromise of confidentiality, integrity, and availability on the backup server. The published EPSS score of 0.5770 indicates a substantial likelihood of exploitation attempts.
Public disclosures on the Full Disclosure mailing list and a detailed technical analysis published by Leakix describe the vulnerability and a related exploitation chain, although no official vendor patch or mitigation guidance is referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22564
Vulnerability details
Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.