CVE-2024-22899

Name of the Vulnerable Software and Affected Versions Vinchin Backup & Recovery version 7.2

Description The issue is related to the syncNtpTime() function in the SystemHandler.class.php script of Vinchin Backup & Recovery, which fails to neutralize special elements used in the operating system command when processing the ntphost parameter. This can be exploited by a remote attacker to execute arbitrary commands by sending specially crafted POST requests. The vulnerability allows for authenticated remote code execution (RCE) via the syncNtpTime function.

Recommendations For Vinchin Backup & Recovery version 7.2, as a temporary workaround, consider disabling the syncNtpTime() function until a patch is available. Restrict access to the SystemHandler.class.php script to minimize the risk of exploitation. Avoid using the ntphost parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.