CVE-2024-22899

HIGH

Vinchin Backup & Recovery <7.2 - Authenticated RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-22899. PoCs published by Chocapikk.

AI-analyzed exploit summary This repository contains a functional exploit chain for authenticated RCE in Vinchin Backup and Recovery (version 7.2 and earlier), leveraging command injection vulnerabilities in multiple functions (e.g., `deleteUpdateAPK`, `getVerifydiyResult`). The exploit includes detailed technical analysis and payload options for reverse shells.

Description

Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.

Exploits (1)

nomisec WORKING POC 7 stars
by Chocapikk · poc
https://github.com/Chocapikk/CVE-2024-22899-to-22903-ExploitChain

This repository contains a functional exploit chain for authenticated RCE in Vinchin Backup and Recovery (version 7.2 and earlier), leveraging command injection vulnerabilities in multiple functions (e.g., `deleteUpdateAPK`, `getVerifydiyResult`). The exploit includes detailed technical analysis and payload options for reverse shells.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Vinchin Backup and Recovery <= 7.2
Auth required
Prerequisites: Access to login page · Valid credentials or ability to exploit credential-free methods (CVE-2024-22902, CVE-2024-22901)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.8
EPSS 0.0237
EPSS Percentile 81.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
vinchin/vinchin_backup_and_recovery < 7.2
Published Feb 02, 2024
Tracked Since Feb 18, 2026