CVE-2022-35866

Published: Aug 3, 2022Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17139.

Affected (1)

Products: Vinchin: Vinchin Backup And Recovery

1 product

Vinchin Backup And Recovery

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Vinchin Vinchin Backup And Recovery	Version 6.5.0.17561

Related CWEs

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (6)

http://packetstormsecurity.com/files/176794/Vinchin-Backup-And-Recovery-7.2-Default-MySQL-Credentials.html

Source: zdi-disclosures@trendmicro.com

http://seclists.org/fulldisclosure/2024/Jan/30

Source: zdi-disclosures@trendmicro.com

https://www.zerodayinitiative.com/advisories/ZDI-22-959/

Source: zdi-disclosures@trendmicro.com

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/176794/Vinchin-Backup-And-Recovery-7.2-Default-MySQL-Credentials.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2024/Jan/30

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.zerodayinitiative.com/advisories/ZDI-22-959/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.