cbcvebase.
CVE-2024-48248
published 2025-03-04

CVE-2024-48248: NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code…

PriorityP192high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-04-09
Exploited in the wild
EPSS
93.99%
99.8th percentile
NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials).

Affected

1 ranges
VendorProductVersion rangeFixed in
nakivobackup_replication_director< 11.0.0.8817411.0.0.88174

Detection & IOCsextracted from sources · hover to see the quote

url/c/router
path/c/router
commandPOST /c/router HTTP/1.1
command{"action": "STPreLoadManagement", "data": ["{{path}}"], "method": "getImageByPath", "sid": "", "tid": "{{string}}", "type": "{{string}}"}
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Naviko Unauthenticated Arbitrary File Read (CVE-2024-48248)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/c/router"; fast_pattern; http.request_body; content:"|22|STPreLoadManagement|22|"; content:"|22|getImageByPath|22|"; reference:url,labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/; reference:cve,2024-48248; classtype:web-application-attack; sid:2060506; rev:1; metadata:affected_product Naviko, attack_target Server, tls_state TLSDecrypt, created_at 2025_03_03, cve CVE_2024_48248, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_03_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|STPreLoadManagement|22|
bytes
|22|getImageByPath|22|
  • On Linux targets, a successful exploit response body will contain the ASCII decimal encoding of 'root:' (114,111,111,116,58) and the string 'STPreLoadManagement' with HTTP 200.
  • On Windows targets, a successful exploit response body will contain the ASCII decimal encoding of '; for' (59,32,102,111,114) and the string 'STPreLoadManagement' with HTTP 200.
  • Shodan/FOFA can be used to identify exposed NAKIVO instances as attack surface; query on page title 'NAKIVO'.
  • The vulnerability can expose PhysicalDiscovery cleartext credentials stored in configuration files, enabling lateral movement across the enterprise.
  • Check Point IPS signature name for this CVE is 'NAKIVO Arbitrary File Read (CVE-2024-48248)'.
  • ·The Snort/ET rule (sid:2060506) requires TLS decryption to be effective when traffic is encrypted, as indicated by the metadata deployment tag 'SSLDecrypt' and 'tls_state TLSDecrypt'.
  • ·The vulnerability was silently patched; organizations must actively verify they are running version 11.0.0.88174 or later, as no public advisory was issued at patch time.
  • ·Exploitation scope extends beyond file read — stolen credentials from configuration files and backups can unlock entire integrated infrastructure environments.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.