CISA Adds High-Severity NAKIVO Path Traversal Bug to Exploited List

Article Highlights
Off On

In a recent advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed a major security flaw affecting NAKIVO Backup & Replication software. This vulnerability, identified as CVE-2024-48248, with a significant CVSS score of 8.6, has been added to the Known Exploited Vulnerabilities (KEV) catalog. The bug is an absolute path traversal vulnerability, which allows unauthorized attackers to read files on the targeted host. Sensitive files, including the “/etc/shadow” file, are at risk via the “/c/router” endpoint. This vulnerability impacts all NAKIVO software versions preceding 10.11.3.86570.

Details and Mitigation

CISA’s advisory has underscored that the successful exploitation of this vulnerability could lead to adversaries gaining access to crucial data. Potentially accessible information may include configuration files, backups, and essential credentials, escalating the risk of further security breaches. Although the advisory refrained from providing specific exploitation details, it is important to note that the disclosure follows the release of a proof-of-concept (PoC) exploit by watchTowr Labs in late October. To mitigate this vulnerability, users are urged to update to version v11.0.0.88174, released in November.

This incident serves as an urgent reminder of the importance of timely software updates and adhering to cybersecurity best practices to avoid exploitation. It is particularly critical for organizations dependent on NAKIVO software for their backup and replication needs, ensuring the latest version is installed to protect against potential attacks.

Additional Vulnerabilities

Notably, two other significant vulnerabilities have been added to the KEV catalog alongside the NAKIVO flaw. One is CVE-2025-1316, with a critical CVSS score of 9.3, affecting Edimax IC-7100 IP cameras due to an OS command injection flaw. This vulnerability has been actively exploited since May by attackers targeting the cameras with default credentials, aiming to deploy Mirai botnet variants. The other vulnerability, CVE-2017-12637, with a CVSS score of 7.5, affects SAP NetWeaver Application Server (AS) Java due to a directory traversal issue.

In light of these active threats, Federal Civilian Executive Branch (FCEB) agencies have been mandated to implement necessary mitigations by April 9 to safeguard their networks. These measures are part of ongoing efforts to protect critical infrastructure and prevent unauthorized access or data breaches.

Strategic Implications

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an advisory about a critical security flaw in NAKIVO Backup & Replication software. Labeled CVE-2024-48248, this vulnerability has a significant CVSS score of 8.6 and is now part of the Known Exploited Vulnerabilities (KEV) catalog. This issue is an absolute path traversal vulnerability, enabling unauthorized users to access and read files on the affected system. One major concern is the potential exposure of the “/etc/shadow” file through the “/c/router” endpoint, which could lead to significant security breaches. The flaw impacts all NAKIVO software versions released before 10.11.3.86570, putting sensitive information at risk. As a result, organizations using these versions should prioritize updates to mitigate the threat. This advisory highlights the necessity of promptly addressing software security vulnerabilities to protect critical infrastructure and sensitive data from malicious attacks.

Explore more

BSP Boosts Efficiency with AI-Powered Reconciliation System

In an era where precision and efficiency are vital in the banking sector, BSP has taken a significant stride by partnering with SmartStream Technologies to deploy an AI-powered reconciliation automation system. This strategic implementation serves as a cornerstone in BSP’s digital transformation journey, targeting optimized operational workflows, reducing human errors, and fostering overall customer satisfaction. The AI-driven system primarily automates

Is Gen Z Leading AI Adoption in Today’s Workplace?

As artificial intelligence continues to redefine modern workspaces, understanding its adoption across generations becomes increasingly crucial. A recent survey sheds light on how Generation Z employees are reshaping perceptions and practices related to AI tools in the workplace. Evidently, a significant portion of Gen Z feels that leaders undervalue AI’s transformative potential. Throughout varied work environments, there’s a belief that

Can AI Trust Pledge Shape Future of Ethical Innovation?

Is artificial intelligence advancing faster than society’s ability to regulate it? Amid rapid technological evolution, AI use around the globe has surged by over 60% within recent months alone, pushing crucial ethical boundaries. But can an AI Trustworthy Pledge foster ethical decisions that align with technology’s pace? Why This Pledge Matters Unchecked AI development presents substantial challenges, with risks to

Data Integration Technology – Review

In a rapidly progressing technological landscape where organizations handle ever-increasing data volumes, integrating this data effectively becomes crucial. Enterprises strive for a unified and efficient data ecosystem to facilitate smoother operations and informed decision-making. This review focuses on the technology driving data integration across businesses, exploring its key features, trends, applications, and future outlook. Overview of Data Integration Technology Data

Navigating SEO Changes in the Age of Large Language Models

As the digital landscape continues to evolve, the intersection of Large Language Models (LLMs) and Search Engine Optimization (SEO) is becoming increasingly significant. Businesses and SEO professionals face new challenges as LLMs begin to redefine how online content is managed and discovered. These models, which leverage vast amounts of data to generate context-rich responses, are transforming traditional search engines. They