[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [Full Disclosure] CVE-2024-22902: Default Root Credentials in Vinchin Backup & Recovery v7.2 and Earlier
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] [Full Disclosure] CVE-2024-22902: Default Root Credentials in Vinchin Backup & Recovery v7.2 and Earlier
- From: Valentin Lobstein via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Thu, 25 Jan 2024 19:22:25 +0000
CVE ID: CVE-2024-22902
Title: Default Root Credentials Vulnerability in Vinchin Backup & Recovery v7.2
Suggested Description:
Vinchin Backup & Recovery version 7.2 has been identified as being configured
with default root credentials, posing a significant security vulnerability.
Additional Information:
There is no documentation or guidance from Vinchin on changing the root
password for this version. The use of password authentication as root is
possible, leading to potential unauthorized access.
Vulnerability Type:
Incorrect Access Control
Vendor of Product:
Vinchin
Affected Product Code Base:
Vinchin - Version 7.2
Attack Type:
Remote
Impact - Escalation of Privileges:
True
Attack Vectors:
This security flaw can be exploited through both local and remote access using
the default root credentials provided in the software.
Discoverer:
Valentin Lobstein
References:
- http://vinchin.com
Conclusion:
The existence of default root credentials in Vinchin Backup & Recovery v7.2
(CVE-2024-22902) is a serious security oversight. Users of this software
version should be aware of the risks and stay alert for any updates or security
patches from Vinchin. Immediate action should be taken to change these
credentials to prevent unauthorized access.
Signed,Valentin Lobstein
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/