PT-2024-2557 · Vinchin · Vinchin Backup & Recovery
Valentin Lobstein
·
Published
2024-03-13
·
Updated
2025-06-02
·
CVE-2024-25228
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Vinchin Backup and Recovery versions 7.2 and earlier
Description
The issue is related to the
getVerifydiyResult function, which is vulnerable to Authenticated Remote Code Execution (RCE). This vulnerability can be exploited by a remote attacker to execute arbitrary code. The problem is associated with the lack of data cleaning measures at the management level.Recommendations
For Vinchin Backup and Recovery versions 7.2 and earlier, as a temporary workaround, consider disabling the
getVerifydiyResult function in ManoeuvreHandler.class.php until a patch is available.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
RCE
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vinchin Backup & Recovery