The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a high-severity security flaw affecting NAKIVO Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2024-48248, is an absolute path traversal issue that allows unauthenticated attackers to read sensitive files on affected systems. This flaw, which affects all versions prior to v10.11.3.86570, can potentially expose critical data, including configuration files, backups, and credentials.
CISA has urged all U.S. federal agencies to patch their systems by April 9, 2025, as required by Binding Operational Directive (BOD) 22-01. This vulnerability could lead to further compromises within an organization’s infrastructure if exploited by cybercriminals. The issue was discovered by cybersecurity firm watchTowr Labs, who released a proof-of-concept exploit in February 2024, demonstrating the ease with which attackers could access arbitrary files on a vulnerable system.
Despite being silently patched by NAKIVO in November 2024, the vulnerability remained unaddressed in the company’s release notes until March 6, 2025. The flaw has been actively exploited since at least February, with CISA’s addition of the vulnerability to the KEV catalog highlighting its active exploitation. Although NAKIVO has yet to confirm the exploitation of the flaw in the wild, the company’s advisory encourages users to check system logs for signs of unauthorized access attempts and unexpected file access activities.
Besides CVE-2024-48248, CISA’s catalog also includes two other severe vulnerabilities affecting Edimax IP cameras and SAP NetWeaver Application Server. These flaws are also being actively exploited by threat actors and require immediate attention. All organizations, not just federal agencies, are advised to apply patches as soon as possible to mitigate the risks posed by these vulnerabilities.