The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting NAKIVO Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2024-48248 (CVSS score: 8.6), an absolute path traversal bug that could allow an unauthenticated attacker to read files on the target host, including sensitive ones such as “/etc/shadow” via the endpoint “/c/router.” It affects all versions of the software prior to version 10.11.3.86570.
“NAKIVO Backup and Replication contains an absolute path traversal vulnerability that enables an attacker to read arbitrary files,” CISA said in an advisory.
Successful exploitation of the shortcoming could allow an adversary to read sensitive data, including configuration files, backups, and credentials, which could then act as a stepping stone for further compromises.
There are currently no details on how the vulnerability is being exploited in the wild, but the development comes after watchTowr Labs published a proof-of-concept (PoC) exploit towards the end of last month. The issue has been addressed as of November 2024 with version v11.0.0.88174.
The cybersecurity firm further noted that the unauthenticated arbitrary file read vulnerability could be weaponized to obtain all stored credentials utilized by the target NAKIVO solution and hosted on the database “product01.h2.db.”
Also added to the KEV catalog are two other flaws –
- CVE-2025-1316 (CVSS score: 9.3) – Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests (Unpatched due to the device reaching end-of-life)
- CVE-2017-12637 (CVSS score: 7.5) – SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string
Last week, Akamai revealed that CVE-2025-1316 is being weaponized by bad actors to target cameras with default credentials in order to deploy at least two different Mirai botnet variants since May 2024.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by April 9, 2025, to secure their networks.
