Login Sign Up

CVE-2024-22901

9.8 CRITICAL

📋 TL;DR

Vinchin Backup & Recovery v7.2 uses default MySQL credentials (root/vinchin) that allow attackers to gain database access. This can lead to full system compromise through privilege escalation and remote code execution. All organizations running vulnerable versions without credential changes are affected.

💻 Affected Systems

Products:
  • Vinchin Backup & Recovery
Versions: v7.2 (specific build numbers may vary)
Operating Systems: Linux-based appliance OS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using default MySQL credentials. Customized installations with changed credentials are not vulnerable.

📦 What is this software?

Vinchin Backup And Recovery by Vinchin

View all CVEs affecting Vinchin Backup And Recovery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover: attackers gain root access, exfiltrate backup data, deploy ransomware, and pivot to other systems in the network.

🟠

Likely Case

Database compromise leading to backup data theft, credential harvesting, and potential ransomware deployment on backup systems.

🟢

If Mitigated

Limited to database access only if proper network segmentation and credential management are implemented.

🌐 Internet-Facing: HIGH - Default credentials allow unauthenticated access if MySQL port (3306) is exposed to internet.
🏢 Internal Only: HIGH - Attackers with internal network access can exploit this easily to gain privileged access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires MySQL port access. Public exploit scripts and detailed attack chains are available in referenced disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified by vendor

Vendor Advisory: http://vinchin.com (no specific advisory found)

Restart Required: No

Instructions:

1. Change default MySQL root password immediately. 2. Review and update all database credentials. 3. Monitor for vendor updates.

🔧 Temporary Workarounds

Change MySQL Root Password

linux

Immediately change the default MySQL root password from 'vinchin' to a strong, unique password.

mysql -u root -pvinchin -e "ALTER USER 'root'@'localhost' IDENTIFIED BY 'NEW_STRONG_PASSWORD'; FLUSH PRIVILEGES;"

Restrict MySQL Network Access

linux

Block external access to MySQL port (3306) using firewall rules.

iptables -A INPUT -p tcp --dport 3306 -j DROP
ufw deny 3306

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate backup systems from other networks
  • Deploy intrusion detection systems to monitor for MySQL brute force attempts and unusual database queries

🔍 How to Verify

Check if Vulnerable:

Attempt to connect to MySQL using default credentials: mysql -u root -pvinchin -h [TARGET_IP]

Check Version:

Check Vinchin web interface or appliance documentation for version information.

Verify Fix Applied:

Test that default credentials no longer work and only authorized credentials provide access.

📡 Detection & Monitoring

Log Indicators:

  • Failed MySQL authentication attempts
  • Successful root login from unusual IPs
  • Unusual database queries or schema modifications

Network Indicators:

  • Port 3306 scanning activity
  • MySQL protocol traffic from unexpected sources
  • Brute force patterns on MySQL port

SIEM Query:

source="mysql.log" (event="Access denied" OR user="root") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-22901
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: February 2, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON