mediumCVE-2026-60095

Vinchin Backup & Recovery agentlink_server Stack Buffer Overflow Vulnerability

Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.

ProductBackup & Recovery
CVSS6.9
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

Vinchin Backup & Recovery should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Vinchin Backup & Recovery through 9.0.0.86562

Fixed versions

  • Apply the latest vendor-supported patched release

How to fix it

Vinchin Backup & Recovery through 9.0.0.86562 is affected by a stack buffer overflow in agentlink_server. Apply the latest vendor-supported patched release and restrict agent communication ports. Backup infrastructure holds high-value credentials and data paths, so review logs for unauthenticated network attempts.

  1. Inventory Vinchin Backup & Recovery servers, agents, and versions through 9.0.0.86562.
  2. Upgrade to the latest vendor-supported patched release.
  3. Restrict agentlink_server and backup agent communication to trusted backup networks only.
  4. Block unauthenticated access to backup services from user, internet, or untrusted segments.
  5. Review agentlink_server logs, crash reports, and network telemetry for oversized _listen_uuid values.
  6. Rotate backup administrator credentials and agent secrets if exploitation is suspected.
  7. Validate backup repository integrity and restore points after remediation.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Vinchin Backup & Recovery is upgraded beyond the affected build.
  • Validate malformed handshake requests no longer crash or corrupt agentlink_server.
  • Review logs for unauthenticated exploit attempts and process crashes.
  • Test backup, replication, restore, and agent registration workflows after the upgrade.
  • Run a Fixnx scan and confirm backup management services are not publicly exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-60095?

Vinchin Backup & Recovery versions listed as affected should be reviewed: Vinchin Backup & Recovery through 9.0.0.86562.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.