In March 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in NAKIVO’s Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, identified as CVE-2024-48248, is an absolute path traversal vulnerability that enables unauthenticated attackers to read arbitrary files on affected systems, potentially exposing sensitive data such as configuration files, backups, and credentials. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 8.6, indicating its high severity.
Discovery and Disclosure
The vulnerability was discovered by cybersecurity firm watchTowr in September 2024. They reported the issue to NAKIVO, which subsequently patched it in November 2024 with the release of Backup & Replication v11.0.0.88174. However, NAKIVO did not publicly disclose the vulnerability or its patch at that time. In February 2025, watchTowr released a proof-of-concept exploit for CVE-2024-48248, highlighting the potential risks associated with the flaw.
Protect against loss and corruption with TrueNASs unbeatable data safeguards.
Active Exploitation
Following the public disclosure, CISA added the vulnerability to its KEV catalog, citing evidence of active exploitation. The agency emphasized the significant risks posed by such vulnerabilities, noting that they are frequent attack vectors for malicious cyber actors and can lead to data breaches or further security compromises. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by April 9, 2025, in accordance with Binding Operational Directive (BOD) 22-01.
Implications for Organizations
Organizations using NAKIVO’s Backup & Replication software are strongly advised to upgrade to version 11.0.0.88174 or newer to mitigate the risks associated with this vulnerability. Additionally, it’s recommended to review system logs for signs of unauthorized access attempts and to enhance network security through measures such as segmentation and robust firewalling.
References
-
CISA Adds Three Known Exploited Vulnerabilities to Catalog. CISA. March 19, 2025. (cisa.gov)
-
CISA Marks NAKIVO’s Critical Backup Vulnerability as Actively Exploited. CSO Online. March 21, 2025. (csoonline.com)
-
NAKIVO Backup & Replication Vulnerability Exploited by Attackers (CVE-2024-48248). Help Net Security. March 21, 2025. (helpnetsecurity.com)
-
CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation. The Hacker News. March 20, 2025. (thehackernews.com)
-
CISA Warns of Exploited Nakivo Vulnerability. SecurityWeek. March 20, 2025. (securityweek.com)
Absolute path traversal? Sounds like someone left the keys under the mat! Makes you wonder what else is lurking in those backups – maybe a company’s secret recipe for world domination? Time to update, folks!
That’s a great analogy! It’s definitely worth considering what sensitive information might be unintentionally exposed in backups. Proactive security measures like regular audits and principle of least privilege are essential to minimizing those risks. Thanks for highlighting that!
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
Yikes, absolute path traversal? So, if I understand correctly, it’s less “backup” and more “open invitation to snoop around”? Guess it’s time to add “check for actively exploited vulnerabilities” to the Monday morning to-do list, right after coffee!
That’s a great way to put it! The “open invitation to snoop around” analogy really highlights the potential impact. Prioritizing vulnerability checks alongside that crucial morning coffee seems like an excellent strategy for a secure week! What tools are you considering adding to your Monday routine?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
Given the vulnerability wasn’t publicly disclosed until February 2025, what implications does this delayed transparency have for organizations that were affected between November 2024 and February 2025?