In a startling revelation that has sent ripples through the cybersecurity community, a critical vulnerability has been discovered in the Nakivo Backup & Replication tool, officially tracked as CVE-2024-48248. This security flaw has left systems vulnerable to unauthenticated arbitrary file read attacks. Identified by security researchers at WatchTowr Labs, the vulnerability affects version 10.11.3.86570 and potentially earlier versions, raising significant concerns about the safety and integrity of data protected by Nakivo’s widely used backup solution.
Exploiting the Nakivo Director Web Interface
Understanding the Flaw and Exploit Mechanism
The vulnerability resides in Nakivo’s Director web interface, particularly within the /c/router endpoint. Attackers can exploit this endpoint by sending specially crafted HTTP requests that invoke the getImageByPath method. Unfortunately, this method processes user-supplied file paths without adequate validation, which means that attackers can read arbitrary files on the system without any authentication. This flaw is especially dangerous as Nakivo typically runs with elevated privileges. With such access, attackers can read critical system files, including /etc/shadow on Linux and C:windowswin.ini on Windows, potentially exposing sensitive data and system configurations.
Security researchers have demonstrated that attackers can leverage this vulnerability to extract valuable information, such as backup logs and database files containing credentials for integrated systems like AWS S3 buckets and SSH-enabled servers. Although these credentials are encrypted, they can be decrypted using keys available within the application directory. WatchTowr Labs has released a proof-of-concept (PoC) exploit, showcasing how attackers can exfiltrate sensitive files with ease. This exploitable flaw, combined with the privileged access typically granted to Nakivo processes, can lead to a full compromise of the affected infrastructure, putting numerous organizations at risk.
Delayed Response and Silent Patch
Despite multiple disclosure attempts starting in September 2024, Nakivo remained unresponsive for a period. It wasn’t until October 2024 that the company acknowledged the issue and released a silent patch in version 11.0.0.88174. This patch implemented stricter file path validation using the FileUtils library to prevent directory traversal attempts. However, the lack of transparency from Nakivo has been criticized by security experts. The absence of a public advisory or CVE announcement meant that many users remained unaware of the vulnerability and the necessity to patch their systems, leaving them exposed to potential exploitation.
As of February 26, 2025, the Shadowserver Foundation reported 208 vulnerable instances of Nakivo Backup & Replication software affected by CVE-2024-48248 worldwide. These instances were concentrated in countries like France, the United States, Italy, Germany, and Spain. Organizations using older, unpatched versions of Nakivo are strongly advised to update to version 11.0.0.88174 or later immediately. Detection tools, such as Nuclei templates or scripts from WatchTowr Labs, can help identify vulnerable instances. Additionally, administrators should monitor network traffic for any unusual activity indicative of data exfiltration.
The Importance of Timely and Transparent Patch Management
Risks Associated with Delayed Patching
The incident underscores the significance of timely patching and transparent communication from software vendors regarding security vulnerabilities. In the world of backup solutions like Nakivo, which have access to an organization’s crucial infrastructure data, overlooking such concerns can result in considerable security breaches. The ability of attackers to exploit known vulnerabilities before users apply patches poses a significant risk, as seen in the delayed response and silent patching that followed the discovery of CVE-2024-48248. Organizations must remain vigilant, constantly updating and configuring their systems to mitigate emerging threats.
Given the critical role that backup solutions play in securing and maintaining the integrity of data, they become prominent targets for attackers. This incident has highlighted how crucial it is for vendors to prioritize security and maintain open lines of communication with their user base. The lack of timely information and guidance can lead to widespread vulnerabilities that significantly compromise organizational security. Consequently, the incident has initiated discussions within the industry about the responsibilities of software vendors and the expectations organizations should have regarding security disclosures.
Future Considerations for Enterprises
In a shocking development that has reverberated through the cybersecurity community, a severe vulnerability has been found in the Nakivo Backup & Replication tool, officially identified as CVE-2024-48248. This security flaw creates a scenario where systems are exposed to unauthenticated arbitrary file read attacks, posing serious risks. Discovered by security experts from WatchTowr Labs, the vulnerability impacts version 10.11.3.86570 and possibly earlier versions. This discovery raises considerable alarms regarding the safety and integrity of data protected by Nakivo’s widely utilized backup solution. The potential for unauthorized access means that sensitive data stored within systems using Nakivo might be at serious risk, underlining the urgency for users to update and secure their systems swiftly. This discovery by WatchTowr Labs signifies a crucial point in the ongoing battle against cybersecurity threats, emphasizing the need for continuous vigilance and prompt updates in safeguarding data.