In March 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in NAKIVO’s Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, identified as CVE-2024-48248, is an absolute path traversal vulnerability that enables unauthenticated attackers to read arbitrary files on affected systems, potentially exposing sensitive data such as configuration files, backups, and credentials. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.6, indicating its high severity.
Discovery and Disclosure
The vulnerability was discovered by cybersecurity firm watchTowr in September 2024. They reported the issue to NAKIVO, which subsequently patched it in November 2024 with the release of Backup & Replication v11.0.0.88174. However, NAKIVO did not publicly disclose the vulnerability or its patch at that time. In February 2025, watchTowr released a proof-of-concept exploit for CVE-2024-48248, highlighting the potential risks associated with the flaw.
Protect against loss and corruption with TrueNASs unbeatable data safeguards.
Active Exploitation
Following the public disclosure, CISA added the vulnerability to its KEV catalog, citing evidence of active exploitation. The agency emphasized the significant risks posed by such vulnerabilities, noting that they are frequent attack vectors for malicious cyber actors and can lead to data breaches or further security compromises. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by April 9, 2025, in accordance with Binding Operational Directive (BOD) 22-01.
Implications for Organizations
Organizations using NAKIVO’s Backup & Replication software are strongly advised to upgrade to version 11.0.0.88174 or newer to mitigate the risks associated with this vulnerability. Additionally, it’s recommended to review system logs for signs of unauthorized access attempts and to enhance network security through measures such as segmentation and robust firewalling.
References
-
CISA Adds Three Known Exploited Vulnerabilities to Catalog. CISA. March 19, 2025. (cisa.gov)
-
CISA Marks NAKIVO’s Critical Backup Vulnerability as Actively Exploited. CSO Online. March 21, 2025. (csoonline.com)
-
NAKIVO Backup & Replication Vulnerability Exploited by Attackers (CVE-2024-48248). Help Net Security. March 21, 2025. (helpnetsecurity.com)
-
CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation. The Hacker News. March 20, 2025. (thehackernews.com)
-
CISA Warns of Exploited Nakivo Vulnerability. SecurityWeek. March 20, 2025. (securityweek.com)
Absolute path traversal? Sounds like someone left the keys under the mat! Makes you wonder what else is lurking in those backups – maybe a company’s secret recipe for world domination? Time to update, folks!