The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant vulnerability affecting NAKIVO Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. This vulnerability is designated CVE-2024-48248, carrying a CVSS score of 8.6 and classified as an absolute path traversal flaw.

This security gap enables unauthenticated attackers to exploit the ‘/c/router’ endpoint to read sensitive files, including critical files such as ‘/etc/shadow’. All versions of the software prior to release 10.11.3.86570 remain vulnerable.

The ramifications of successfully exploiting this flaw are considerable, allowing unauthorized access to essential data like configuration files, backup information, and user credentials. This vulnerability therefore poses significant risks not solely for data integrity but also for overall network security, potentially acting as a foothold for deeper compromises. Although specific exploitation methods have yet to be fully detailed, urgency surrounding this vulnerability has been heightened following the publication of a proof-of-concept (PoC) exploit by watchTowr Labs.

Additionally, CISA has identified two other vulnerabilities to watch:

• CVE-2025-1316 (CVSS score: 9.3) – Found in Edimax IC-7100 IP cameras, this OS command injection vulnerability allows remote code execution through improper input validation.
• CVE-2017-12637 (CVSS score: 7.5) – A directory traversal vulnerability present in SAP NetWeaver Application Server that grants access to arbitrary files.

With these vulnerabilities identified as actively exploited, CISA mandates that Federal Civilian Executive Branch agencies implement the requisite mitigations by April 9, 2025. This emphasizes the need for organizations to adopt proactive security measures to safeguard their systems.

FAQs:

• What is CVE-2024-48248? It is an absolute path traversal vulnerability allowing unauthorized file access in NAKIVO Backup & Replication.
• How can organizations mitigate this risk? Organizations must upgrade to version 10.11.3.86570 or later to protect their systems.
• What other vulnerabilities did CISA highlight? CISA also flagged CVE-2025-1316 and CVE-2017-12637 for their potential risk.
• What actions are required from federal agencies? They are expected to perform necessary mitigations by April 9, 2025, as per CISA’s directive.

In conclusion, remaining vigilant against vulnerabilities is essential in today’s cybersecurity landscape. Organizations should prioritize software updates and sustained risk management practices to minimize exploitable gaps in their systems.