A critical vulnerability tracked as CVE-2024-48248, has been discovered in the Nakivo Backup & Replication tool, exposing systems to unauthenticated arbitrary file read attacks.
Security researchers from watchTowr Labs disclosed the flaw, which affects version 10.11.3.86570 and potentially earlier versions of the software.
This vulnerability allows attackers to access sensitive files on targeted systems without authentication, posing significant risks to organizations relying on Nakivo for data protection.
The flaw resides in Nakivo’s Director web interface, specifically in the / c/ router endpoint. Attackers can exploit this endpoint by sending specially crafted HTTP requests that invoke methods like getImageByPath.
This method processes user-supplied file paths without proper validation, enabling attackers to read arbitrary files on the underlying system.
Nakivo Backup & Replication Tool Vulnerability
The vulnerability is further exacerbated by the fact that Nakivo often runs with elevated privileges, granting access to critical system files such as / etc/shadow on Linux or C:windowswin.ini on Windows.
Researchers demonstrated how an attacker could use this vulnerability to extract sensitive data, including backup logs and database files containing credentials for integrated systems like AWS S3 buckets and SSH-enabled servers.
These credentials are stored in an encrypted format but can be decrypted using keys available within the application directory.
WatchTowr Labs has released a proof-of-concept (PoC) exploit that showcases how attackers can use this vulnerability to read sensitive files.
The PoC highlights the ease with which an attacker can exfiltrate backup logs and other critical data, potentially leading to full compromise of the targeted infrastructure.
Despite multiple disclosure attempts beginning in September 2024, Nakivo initially failed to respond. The company eventually acknowledged the issue in October 2024 and silently patched it in version 11.0.0.88174 without issuing a public advisory or CVE announcement.
The fix involves stricter file path validation using the FileUtils library, preventing directory traversal attempts. However, Nakivo’s lack of transparency has drawn criticism from security experts.
The absence of public communication about such a severe vulnerability leaves many users unaware of the risks and unpatched systems exposed to exploitation.
The vulnerability poses a high risk to organizations using unpatched Nakivo Backup & Replication versions. Attackers could potentially access sensitive backups, credentials, and other critical data stored within the system.
The Shadowserver Foundation has reported detecting 208 vulnerable instances of Nakivo Backup & Replication software affected by CVE-2024-48248, a critical vulnerability that enables arbitrary file reads.
We are scanning for & reporting Nakivo Backup & Replication CVE-2024-48248 (arbitrary file read) vulnerable instances in our Vulnerable HTTP report: https://t.co/qxv0Gv6cAK.
~208 vulnerable instances seen 2025-02-26
Dashboard map view: https://t.co/z2ekwWPIl7 pic.twitter.com/iOCORPCDwi
— The Shadowserver Foundation (@Shadowserver) February 27, 2025
As of February 26, 2025, these instances were identified globally, with the highest concentration in France (26), followed by the United States (19), Italy (15), and Germany and Spain (11 each).
Organizations are strongly advised to update to version 11.0.0.88174 or later immediately. For detection, security teams can use tools like Nuclei templates or scripts provided by watchTowr Labs to identify vulnerable instances.
Additionally, administrators should monitor network traffic for unusual activity indicative of data exfiltration.
This incident underscores the importance of timely patching and transparent communication from vendors regarding security vulnerabilities. Backup solutions like Nakivo are attractive targets for attackers due to their access to critical infrastructure data.
Organizations must remain vigilant and prioritize updates to safeguard their systems against emerging threats.
