Cyber Resilience

CVE-2024-25228

HighPublic PoCRCE

Published: 14 March 2024

Published
14 March 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5770 98.2th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-25228 is a high-severity Command Injection (CWE-77) vulnerability in Vinchin Vinchin Backup And Recovery. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Vinchin Backup and Recovery versions 7.2 and earlier contain an authenticated remote code execution vulnerability in the getVerifydiyResult function within ManoeuvreHandler.class.php. The flaw is tracked as CVE-2024-25228 with a CVSS 3.1 score of 8.8 and is associated with CWE-77 command injection. The affected component allows remote attackers to supply crafted input that is executed on the server when the function processes verification results.

An attacker who has obtained low-privileged authenticated access can exploit the issue over the network without user interaction. Successful exploitation grants the ability to execute arbitrary commands, resulting in full compromise of confidentiality, integrity, and availability on the backup server. The published EPSS score of 0.5770 indicates a substantial likelihood of exploitation attempts.

Public disclosures on the Full Disclosure mailing list and a detailed technical analysis published by Leakix describe the vulnerability and a related exploitation chain, although no official vendor patch or mitigation guidance is referenced in the available sources.

EU & UK References

Vulnerability details

Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vinchin
vinchin backup and recovery
≤ 7.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References