Headline
Vinchin Backup And Recovery 7.2 Default MySQL Credentials
A critical security issue has been discovered in Vinchin Backup and Recovery version 7.2. The software has been found to use default MYSQL credentials, which could lead to significant security risks.
CVE ID: CVE-2024-22901Title: Default MYSQL Credentials Vulnerability in Vinchin Backup & Recovery v7.2Description:A critical security issue, identified as CVE-2024-22901, has been discovered in Vinchin Backup & Recovery version 7.2. The software has been found to use default MYSQL credentials, which could lead to significant security risks.Additional Information:Vinchin has not addressed previous disclosures, including CVE-2022-35866, and has not patched the reported vulnerabilities. The presence of these unresolved issues, now compounded by the newly discovered vulnerability of default MYSQL credentials, opens up potential avenues for easy unauthenticated Remote Code Execution (RCE). This lack of response is alarming for a product that is certified in cybersecurity and poses a considerable risk to its users.Vulnerability Type:Incorrect Access ControlVendor of Product:VinchinAffected Product Code Base:Vinchin Backup & Recovery - Version 7.2Affected Component:The MySQL database used by Vinchin Backup & RecoveryAttack Type:RemoteImpact - Escalation of Privileges:TrueAttack Vectors:The vulnerability can be exploited via local or remote access, utilizing the unpatched default MySQL credentials.Discoverer:Valentin LobsteinReference:http://vinchin.comConclusion:The discovery of CVE-2024-22901 highlights a critical oversight in Vinchin Backup & Recovery's security posture. Users are advised to be cautious and to monitor for any updates or patches from Vinchin, which should be applied immediately to mitigate this risk.Signed,Valentin Lobstein
Related news
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17139.