The Cybersecurity and Infrastructure Security Agency (CISA) has added a patched, high-severity vulnerability affecting NAKIVO’s backup and replication software to its known exploited vulnerability (KEV) catalog.
The flaw, tracked as CVE-2024-48248, is a path traversal issue that received a high severity rating with CVSS 8.6 out of 10 and was marked “critical” by NAKIVO in a security advisory.
“This vulnerability allows attackers to read arbitrary files on the affected system without authentication,” NAKIVO had said in the advisory. “Exploiting this vulnerability could expose sensitive data, including configuration files, backups, and credentials, potentially leading to data breaches or further security compromises.”
The backup solutions vendor rolled out a fix to the issue with the release of Backup & Replication v11.0.0.88174.
Flaw likely exploited as N-days
The flaw is likely abused in N-day exploitation as the vendor advisory last updated on March 6 did not mark it as actively exploited.
The vulnerability was first identified and brought to NAKIVO’s notice by the cybersecurity firm watchTowr on September 13, 2024. It took NAKIVO over a month to acknowledge watchTowr’s discovery via email, and “silently” patch the vulnerability on November 4, 2024, watchTowr said in a blog post.
The in-the-wild exploitation, as tagged by CISA, follows watchTowr’s public disclosure of the vulnerability, along with a proof of concept (PoC) exploit, in February 2024. While it is hard to tell if threat actors picked up watchTowr’s PoC exploits for the said attacks, it appears the latter was aware of the risks involved in disclosures.
“As an industry, we believe that we’ve come to a common consensus after 25 years of circular debates – disclosure is terrible, information is actually dangerous, it’s best that it’s not shared, and the only way to really ensure that no one ever uses information in a way that you don’t like (this part is key) is to make up terms for your way of doing things,” watchTowr had said in the blog post.
Quite interestingly, a day after the CISA alert, watchTowr pulled the curtains on another critical vulnerability in Veeam backup servers that allowed remote code execution.
CISOs advised to push for immediate patching
CISA has advised immediate federal and civilian patching of the flaw. For the Federal Civilian Executive Branch (FCEB) agencies, the US cybersecurity watchdog has stipulated a patching deadline of April 19, 2025, in accordance with the BOD 22-01 directive.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” CISA said in the KEV update. Although NAKIVO’s advisory does not mention in-the-wild activities, the vendors quite clearly emphasized admins upgrade to the secure version immediately. Apart from patching, the advisory recommended reviewing access logs and enhancing network security through segmentation and robust firewalling as additional mitigation steps.