The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a high-severity security flaw impacting NAKIVO Backup & Replication software program to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability in query is CVE-2024-48248 (CVSS rating: 8.6), an absolute path traversal bug that might permit an unauthenticated attacker to learn recordsdata on the goal host, together with delicate ones akin to “/and so on/shadow” by way of the endpoint “/c/router.” It impacts all variations of the software program previous to model 10.11.3.86570.
“NAKIVO Backup and Replication comprises an absolute path traversal vulnerability that permits an attacker to learn arbitrary recordsdata,” CISA stated in an advisory.
Profitable exploitation of the shortcoming might permit an adversary to learn delicate knowledge, together with configuration recordsdata, backups, and credentials, which might then act as a stepping stone for additional compromises.
There are at present no particulars on how the vulnerability is being exploited within the wild, however the improvement comes after watchTowr Labs printed a proof-of-concept (PoC) exploit in the direction of the tip of final month. The problem has been addressed as of November 2024 with model v11.0.0.88174.
The cybersecurity agency additional famous that the unauthenticated arbitrary file learn vulnerability might be weaponized to acquire all saved credentials utilized by the goal NAKIVO resolution and hosted on the database “product01.h2.db.”
Additionally added to the KEV catalog are two different flaws –
- CVE-2025-1316 (CVSS rating: 9.3) – Edimax IC-7100 IP digital camera comprises an OS command injection vulnerability resulting from improper enter sanitization that permits an attacker to realize distant code execution by way of specifically crafted requests (Unpatched as a result of machine reaching end-of-life)
- CVE-2017-12637 (CVSS rating: 7.5) – SAP NetWeaver Utility Server (AS) Java comprises a listing traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that permits a distant attacker to learn arbitrary recordsdata by way of a .. (dot dot) within the question string
Final week, Akamai revealed that CVE-2025-1316 is being weaponized by unhealthy actors to focus on cameras with default credentials in an effort to deploy no less than two completely different Mirai botnet variants since Could 2024.
In gentle of energetic exploitation, Federal Civilian Govt Department (FCEB) businesses are required to use the required mitigations by April 9, 2025, to safe their networks.
