CVE ID: CVE-2024-22899  
Title: Command Injection Vulnerability in Vinchin Backup and Recovery's syncNtpTime Function in Versions 7.2 and Earlier  
A critical security vulnerability, identified as CVE-2024-22899, has been discovered in the `syncNtpTime` function of Vinchin Backup and Recovery software. This issue affects versions 7.2 and earlier. The function, part of the `SystemHandler.class.php` file, is designed for synchronizing system time with NTP servers but is prone to a command injection vulnerability due to improper handling of user input.  
Function Analysis:  
- The function is responsible for handling the `ntphost` parameter, which is expected to contain the address of the NTP server.  
- The vulnerability stems from the direct concatenation of this parameter into a system command line, without adequate validation or sanitization.  
- This design flaw allows an attacker to inject arbitrary commands into the `ntphost` parameter, which are then executed by the system.  
Current Status:  
As of now, there is no patch available for this vulnerability in versions 7.2 and earlier of Vinchin Backup and Recovery. Users of these versions are at risk of exploitation.  
It is advised for users of Vinchin Backup and Recovery versions 7.2 and earlier to remain alert and monitor for updates from Vinchin. Once a patch becomes available, it should be applied immediately to mitigate the risk posed by this vulnerability.  
The discovery of CVE-2024-22899 underscores the importance of rigorous input validation and sanitization in software development. This vulnerability poses a severe security risk, potentially leading to unauthorized system access or control.  
Signed,Valentin Lobstein