CVE-2023-45499

CRITICAL

Vinchin Backup & Recovery 5.0-7.0 - Use of Hard-coded Credentials

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-45499. PoCs published by Gregory Boddin (LeakIX), Valentin Lobstein, including Metasploit module exploits/linux/http/vinchin_backup_recovery_cmd_inject.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Vinchin Backup & Recovery via the checkIpExists API endpoint, allowing arbitrary command execution as the web server user. It uses a hardcoded API key and crafts a malicious payload to achieve RCE.

Description

VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.

Exploits (1)

metasploit WORKING POC EXCELLENT
by Gregory Boddin (LeakIX), Valentin Lobstein · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vinchin_backup_recovery_cmd_inject.rb

This Metasploit module exploits a command injection vulnerability in Vinchin Backup & Recovery via the checkIpExists API endpoint, allowing arbitrary command execution as the web server user. It uses a hardcoded API key and crafts a malicious payload to achieve RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Vinchin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, v7.0.*
No auth needed
Prerequisites: Network access to the target · Vinchin Backup & Recovery instance with vulnerable version
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.0789
EPSS Percentile 94.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-798
Status published
Products (1)
vinchin/vinchin_backup_and_recovery 5.0 - 7.0
Published Oct 27, 2023
Tracked Since Feb 18, 2026