CVE-2024-22900 – Vinchin Backup & Recovery v7.2 contains an auth... (How to Fix)

Q: What is the severity of CVE-2024-22900?

CVE-2024-22900 has a CVSS score of 8.8 (HIGH). Vinchin Backup & Recovery v7.2 contains an authenticated remote code execution vulnerability in the setNetworkCardInfo function. This allows authenticated attackers to execute arbitrary commands on the server with the privileges of the application. Organizations using Vinchin Backup & Recovery v7.2 are affected.

📋 TL;DR

Vinchin Backup & Recovery v7.2 contains an authenticated remote code execution vulnerability in the setNetworkCardInfo function. This allows authenticated attackers to execute arbitrary commands on the server with the privileges of the application. Organizations using Vinchin Backup & Recovery v7.2 are affected.

💻 Affected Systems

Products:

Vinchin Backup & Recovery

Versions: v7.2

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the web interface. The vulnerability is in the network configuration functionality.

📦 What is this software?

Vinchin Backup And Recovery by Vinchin

View all CVEs affecting Vinchin Backup And Recovery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, steal backup data, deploy ransomware, or pivot to other systems in the network.

🟠

Likely Case

Data exfiltration of backup archives, deployment of cryptocurrency miners, or installation of persistent backdoors.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication controls, and minimal privileges for backup service accounts.

🌐 Internet-Facing: HIGH - If exposed to the internet, attackers can exploit this after obtaining valid credentials.

🏢 Internal Only: HIGH - Even internally, any authenticated user can exploit this vulnerability to gain elevated privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on Packet Storm Security and other sources. Attack requires valid credentials but is straightforward to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v7.2 Update 1 or later

Vendor Advisory: http://vinchin.com

Restart Required: Yes

Instructions:

1. Log into Vinchin Backup & Recovery web interface. 2. Navigate to System Settings > Update. 3. Check for available updates. 4. Apply v7.2 Update 1 or later. 5. Restart the backup service or entire system as prompted.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Vinchin Backup & Recovery web interface to only trusted administrative networks.

Authentication Hardening

all

Implement multi-factor authentication, strong password policies, and limit administrative accounts.

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Vinchin web interface
Monitor for unusual command execution patterns and review authentication logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check if running Vinchin Backup & Recovery v7.2 without Update 1 applied. Log into web interface and check version in System Settings.

Check Version:

curl -k https://<vinchin-ip>:8080/api/version or check web interface System Settings

Verify Fix Applied:

Verify version shows v7.2 Update 1 or later in System Settings > About.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to setNetworkCardInfo endpoint
Command execution patterns in system logs
Failed authentication attempts followed by successful login

Network Indicators:

Unusual outbound connections from backup server
Traffic to command and control servers
Unexpected network scanning from backup server

SIEM Query:

source="vinchin.log" AND (uri="/api/setNetworkCardInfo" OR command="cmd.exe" OR command="/bin/sh")

📊 Metadata

CVE ID: CVE-2024-22900

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: February 2, 2024

Last Updated: November 4, 2025

🔗 References

http://vinchin.com Product
https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/ Exploit,Third Party Advisory
https://seclists.org/fulldisclosure/2024/Jan/29 Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/176788/Vinchin-Backup-And-Recovery-7.2-setNetworkCardInfo-Command-Injection.html
http://seclists.org/fulldisclosure/2024/Jan/26
http://vinchin.com Product
https://blog.leakix.net/2024/01/vinchin-backup-rce-chain/ Exploit,Third Party Advisory
https://seclists.org/fulldisclosure/2024/Jan/29 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22900, you might also want to check these: