CVE-2024-48248
Published: 04 March 2025
Summary
CVE-2024-48248 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Nakivo Backup \& Replication Director. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation and patching of the specific path traversal flaw in NAKIVO Backup & Replication prior to version 11.0.0.88174, directly eliminating arbitrary file read exploitation.
Enforces validation of untrusted inputs like paths to the getImageByPath function in /c/router, preventing absolute path traversal (CWE-36) attacks.
Monitors and controls communications at external boundaries to detect and block network requests exploiting path traversal to the vulnerable /c/router endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated path traversal enables arbitrary file read (T1190: Exploit Public-Facing Application), including cleartext credentials in PhysicalDiscovery files (T1552.001: Credentials In Files), facilitating credential access via exploitation (T1212: Exploitation for Credential Access).
NVD Description
NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials).
Deeper analysisAI
CVE-2024-48248 is an absolute path traversal vulnerability (CWE-36) in NAKIVO Backup & Replication versions prior to 11.0.0.88174. The flaw resides in the /c/router endpoint, specifically the getImageByPath function, which allows attackers to read arbitrary files on the affected system. It carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), reflecting high severity due to network accessibility, low attack complexity, and no privileges or user interaction required.
Unauthenticated remote attackers can exploit this vulnerability over the network to access sensitive files, achieving high confidentiality impact with a changed scope. The disclosure notes that this file read capability may enable remote code execution across the enterprise, as the PhysicalDiscovery component stores cleartext credentials.
Nakivo's release notes document the fix in version 11.0.0.88174 and later. Watchtower Labs provides a detailed analysis and a proof-of-concept exploit on GitHub demonstrating arbitrary file read.
The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog, indicating real-world exploitation by adversaries.
Details
- CWE(s)
- KEV Date Added
- 19 March 2025