SOC Advisory – NAKIVO Backup & Replication Path Traversal Vulnerability – 29 April 2025

Summary

CVE-2024-48248 is a critical absolute path traversal flaw in NAKIVO Backup & Replication (pre-v11.0.0.88174) that allows unauthenticated attackers to read arbitrary files via the /c/router getImageByPath endpoint. CISA added this to its Known Exploited Vulnerabilities catalog after observing in-the-wild abuse. Researchers demonstrated PoC exfiltration of /etc/shadow, backup logs and credentials. Shadowserver found over 200 exposed instances globally, and EPSS rates exploitation likelihood at 93% within 30 days.

Impacted Versions

• NAKIVO Backup & Replication 10.11.3.86570 and earlier
• Fixed in v11.0.0.88174 and later

Technical Details

• CVE Identifier: CVE-2024-48248
• CVSS v3.1 Score: 8.6 (High)
• Weakness: CWE-36 Absolute Path Traversal
• Attack Vector: Network; Low complexity; No privileges; No user interaction; Scope changed
• Description: The getImageByPath function fails to normalise input, permitting ../ sequences to escape the intended directory and read arbitrary files—including cleartext credentials used by PhysicalDiscovery—leading to potential remote code execution in follow-on attacks.

Exploitation & Threat

• Active Exploitation: Confirmed by CISA inclusion in KEV catalog; details of campaigns remain limited.
• Proof-of-Concept: PoC demonstrates exfiltration of system and backup files.
• Observed Instances: Shadowserver reported ~208 vulnerable public systems, predominantly in Europe and North America.
• Risk Context: Backup servers often run with elevated privileges; this flaw is a prime vector for ransomware actors and nation-state espionage.

Mitigations

1. Upgrade: Immediately update to NAKIVO v11.0.0.88174 or later.
2. Access Controls: Restrict web-interface access to trusted IPs; enforce MFA on all accounts.
3. Network Segmentation: Isolate backup servers; block unexpected HTTP(S) traffic to /c/router.
4. Detection: Monitor logs for GET/POST to /c/router; deploy IDS/IPS or Nuclei signatures.
5. BOD 22-01 Compliance: Follow CISA’s Binding Operational Directive for cloud services if patching cannot be completed.

Changes Made

• Expanded Summary with CISA KEV and Shadowserver data.
• Added Technical Details (CWE, CVSS, attack vector).
• Introduced Exploitation & Threat section with PoC and instance counts.
• Enhanced Mitigations with segmentation and logging guidance.

Resources and Further Reading

• https://nvd.nist.gov/vuln/detail/CVE-2024-48248
• https://www.cisa.gov/news-events/alerts/2025/03/19/cisa-adds-three-known-exploited-vulnerabilities-catalog
• https://www.csoonline.com/article/3851481/cisa-marks-nakivos-critical-backup-vulnerability-as-actively-exploited.html
• https://thehackernews.com/2025/03/cisa-adds-nakivo-vulnerability-to-kev.html
• https://www.securityweek.com/cisa-warns-of-exploited-nakivo-vulnerability/
• https://www.bleepingcomputer.com/news/security/cisa-tags-nakivo-backup-flaw-as-actively-exploited-in-attacks/
• https://www.helpnetsecurity.com/2025/03/21/nakivo-backup-replication-vulnerability-exploited-by-attackers-cve-2024-48248/
• https://www.securityvulnerability.io/vulnerability/CVE-2024-48248
• https://sensorstechforum.com/nakivo-backup-software-flaw-exploited/