The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a high-severity vulnerability in NAKIVO’s Backup & Replication software, known as CVE-2024-48248. This flaw allows unauthenticated attackers to exploit an absolute path traversal vulnerability, potentially leading to unauthorized access to sensitive files on compromised devices.
Details of the Vulnerability
The NAKIVO backup flaw can expose critical data, including configuration files, backups, and credentials.
As NAKIVO explained, “Exploiting this vulnerability could expose sensitive data, including configuration files, backups, and credentials, potentially leading to data breaches or further security compromises.”
WatchTowr, the cybersecurity firm that discovered the issue, highlighted that the implications of this vulnerability extend beyond merely stealing backups. It can effectively “unlock entire infrastructure environments,” posing significant risks.
Response and Mitigation
NAKIVO silently released a patch for this vulnerability with Backup & Replication v11.0.0.88174 in November 2024, nearly two months after they were first notified by WatchTowr. Despite this, NAKIVO did not initially label the flaw as actively exploited, as per their latest security advisory from March 6, 2025.
However, CISA has now added CVE-2024-48248 to its Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch (FCEB) agencies are mandated to secure their systems against this vulnerability within three weeks, by April 9, 2025, following the Binding Operational Directive (BOD) 22-01 issued in November 2021.
CISA stated, “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
Although BOD 22-01 primarily applies to federal agencies, all organizations are urged to prioritize patching this flaw to prevent ongoing attacks.
NAKIVO Backup Customer Advisory
NAKIVO has advised its customers to review system logs for signs of “unauthorized access attempts” and “unexpected file access activities.” The company boasts a global network of over 8,000 partners and more than 30,000 active customers in 183 countries, including major corporations like Honda, Cisco, Coca-Cola, and Siemens.
