The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a severe vulnerability in NAKIVO Backup & Replication software, adding it to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation by threat actors. This vulnerability, CVE-2024-48248, is an absolute path traversal flaw that poses a significant risk to organizations relying on NAKIVO for data backup and disaster recovery.
With a CVSS score of 8.6, the flaw allows unauthorized attackers to access and read sensitive system files, potentially leading to credential theft, system compromise, and deeper network infiltration. The urgency to patch this vulnerability is high, given that a proof-of-concept (PoC) exploit is already publicly available, increasing the likelihood of widespread attacks.
Understanding CVE-2024-48248: How It Works
The absolute path traversal vulnerability in NAKIVO Backup & Replication software enables attackers to bypass authentication and retrieve critical system files, such as:
/etc/shadow(which contains hashed passwords for user accounts)- Configuration files that store sensitive backup settings
- Database files, including product01.h2.db, which stores user credentials
The flaw is exploited via the /c/router endpoint, allowing threat actors to traverse directories and extract files that are typically restricted. This gives attackers unauthorized access to stored backup credentials and configurations, making it easier for them to escalate privileges and gain control over entire backup environments.
Affected Versions
The vulnerability affects all versions of NAKIVO Backup & Replication prior to 10.11.3.86570. NAKIVO has since patched the flaw in version 11.0.0.88174, released in November 2024.
Why This Vulnerability Is Dangerous
Exploiting CVE-2024-48248 allows malicious actors to exfiltrate credentials stored in backup environments, which can lead to:
- System Takeovers – Attackers can use stolen credentials to infiltrate other connected systems.
- Ransomware Deployment – Malicious actors can encrypt backup data, making recovery impossible without a ransom payment.
- Data Breaches – Sensitive backup data can be stolen and leaked.
- Lateral Movement – Threat actors can use the compromised backup server as a foothold to access other systems within the network.
Proof-of-Concept (PoC) Exploit Increases Risk
Cybersecurity firm watchTowr Labs reported that a PoC exploit for CVE-2024-48248 was publicly released at the end of February 2025, making it significantly easier for attackers to target unpatched systems. Given that cybercriminals often weaponize publicly available exploits, organizations running outdated versions of NAKIVO face an immediate risk of compromise.
How to Mitigate and Fix CVE-2024-48248
1. Apply the Latest Patch Immediately
NAKIVO has released a security update (version 11.0.0.88174) that fully mitigates the vulnerability. Organizations should:
- Update to version 11.0.0.88174 or later as soon as possible.
- Verify that all backup servers and appliances are running the latest version.
2. Check for Signs of Exploitation
If your organization is running an outdated version of NAKIVO Backup & Replication, check for any indications of exploitation:
- Unusual log entries indicating access to sensitive files
- Unexpected modifications to backup configurations
- Suspicious authentication attempts or unauthorized access logs
- Signs of credential theft or lateral movement in the network
3. Secure Backup Credentials and Access Controls
Since attackers can extract credentials from product01.h2.db, organizations must:
- Rotate all backup-related passwords immediately.
- Use strong, unique credentials for backup environments.
- Restrict access to backup systems only to trusted administrators.
- Enable multi-factor authentication (MFA) wherever possible.
4. Implement Network Security Best Practices
- Restrict Internet Exposure – Ensure that NAKIVO backup servers are not directly exposed to the internet.
- Firewall Rules – Block unnecessary access to the /c/router endpoint.
- Monitor for Suspicious Activity – Implement SIEM solutions to detect unauthorized access attempts.
- Use an Endpoint Detection and Response (EDR) solution – Advanced EDR tools can help detect and block path traversal exploits.
5. Create an Incident Response Plan
If exploitation is suspected:
- Isolate affected systems from the network.
- Conduct forensic analysis to determine the extent of the compromise.
- Rebuild compromised servers from secure, verified backups.
- Report the incident to CISA and relevant cybersecurity agencies.
Additional Vulnerabilities in the KEV Catalog
Alongside CVE-2024-48248, CISA has added two more actively exploited vulnerabilities:
- CVE-2025-1316 (CVSS 9.3) – A critical OS command injection vulnerability in Edimax IC-7100 IP cameras, allowing attackers to execute arbitrary commands. This issue remains unpatched as the device has reached end-of-life.
- CVE-2017-12637 (CVSS 7.5) – A directory traversal vulnerability in SAP NetWeaver AS Java, allowing attackers to read arbitrary files through manipulated query strings.
Notably, CVE-2025-1316 has been exploited by cybercriminals to compromise Edimax cameras and integrate them into Mirai botnet variants since May 2024.
CISA’s Response and Federal Mitigation Requirements
In response to these growing threats, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary security patches by April 9, 2025 to protect their networks.
Final Recommendations
With CVE-2024-48248 now actively exploited, organizations must act quickly to patch affected systems. Delays in remediation could lead to:
- Credential theft
- Data loss
- Ransomware attacks
- Full network compromise
Updating to NAKIVO Backup & Replication v11.0.0.88174 is the most effective solution to prevent exploitation. Additionally, organizations should strengthen access controls, monitor for suspicious activity, and implement best security practices to safeguard backup environments from future threats.
By taking immediate action, businesses and agencies can protect their critical data and infrastructure from this high-risk vulnerability.
Cybersecurity for Business
Your business faces constantly evolving cyber threats that can jeopardize sensitive data, disrupt operations, and damage your reputation. Our cybersecurity for business solutions are tailored to meet the unique challenges of companies of all sizes, providing robust protection against malware, phishing, ransomware, and more.
Whether you’re a small startup or a large enterprise, we offer multi-license cybersecurity packages that ensure seamless protection for your entire team, across all devices. With advanced features like real-time threat monitoring, endpoint security, and secure data encryption, you can focus on growing your business while we handle your digital security needs.
Get a Free Quote Today! Safeguard your business with affordable and scalable solutions. Contact us now to request a free quote for multi-license cybersecurity packages designed to keep your company safe and compliant. Don’t wait—protect your business before threats strike!
