The United States Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant security flaw affecting NAKIVO Backup & Replication software to its catalog of Known Exploited Vulnerabilities (KEV), as there is evidence that it is being actively exploited.
The vulnerability, identified as CVE-2024-48248, has a CVSS score of 8.6 and is an absolute path traversal bug. This allows an unauthenticated attacker to read files on the target host, including sensitive ones like “/etc/shadow,” by exploiting the endpoint “/c/router.” This issue affects all versions of the software prior to version 10.11.3.86570.
According to CISA, “NAKIVO Backup and Replication contains an absolute path traversal vulnerability that enables an attacker to read arbitrary files.” This successful exploitation could grant an adversary access to sensitive data, including configuration files, backups, and credentials, potentially leading to further compromises.
Although there are currently no details available on how this vulnerability is being exploited in the wild, it is worth noting that watchTowr Labs published a proof-of-concept (PoC) exploit towards the end of last month. The issue has been addressed as of November 2024 with version v11.0.0.88174.
The cybersecurity firm further noted that the unauthenticated arbitrary file read vulnerability could be used to obtain all stored credentials utilized by the target NAKIVO solution, hosted on the database “product01.h2.db.”
Two other flaws have also been added to the KEV catalog:
- CVE-2025-1316 (CVSS score: 9.3) – Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization, allowing an attacker to achieve remote code execution via specially crafted requests. This device has reached end-of-life and remains unpatched.
- CVE-2017-12637 (CVSS score: 7.5) – SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS, allowing a remote attacker to read arbitrary files via a .. (dot dot) in the query string.
Recently, Akamai revealed that CVE-2025-1316 is being exploited by bad actors to target cameras with default credentials, aiming to deploy at least two different Mirai botnet variants since May 2024.
In response to the active exploitation of these vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are required to apply necessary mitigations by April 9, 2025, to secure their networks.
