CVE-2023-45498: RCE in VinChin Backup Key Vulnerability Information CVE ID: CVE-2023-45498 Vulnerable Software: VinChin Backup & Recovery Issue: Remote Code Execution (RCE) via HTTP API Affected Versions: 5.0 up until the last known version Vulnerability Details Description: The HTTP API in VinChin Backup is exposed with hard-coded credentials, granting high privileges. A specific endpoint is vulnerable to improper input sanitization, leading to RCE. IOCs: Any requests to from untrusted IPs should be considered suspicious. Logs can be found in . Mitigation: VinChin has not acknowledged the issue. Remove exposed instances from untrusted networks and update to version 7.2. Timeline 2023-09-22: Initial contact from LeakIX 2023-09-25: VinChin requested details 2023-10-10: No reply, alternative email used 2023-10-18: No reply, 7-day warning sent 2023-11-02: VinChin version 7.2 released 2023-11-03: Advisory updated with fix details Fixes Limit method calls with hardcoded API key Update API Access Control Lists (ACLs) to prevent hard-coded credential access Released version 7.2 with fixes Conclusion .Update to VinChin Backup version 7.2 to mitigate the RCE vulnerability.