CVE-2024-48248
published 2025-03-04CVE-2024-48248: NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code…
PriorityP192high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-04-09
Exploited in the wild
EPSS
93.99%
99.8th percentile
NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nakivo | backup_replication_director | < 11.0.0.88174 | 11.0.0.88174 |
Detection & IOCsextracted from sources · hover to see the quote
command{"action": "STPreLoadManagement", "data": ["{{path}}"], "method": "getImageByPath", "sid": "", "tid": "{{string}}", "type": "{{string}}"}↗
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Naviko Unauthenticated Arbitrary File Read (CVE-2024-48248)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/c/router"; fast_pattern; http.request_body; content:"|22|STPreLoadManagement|22|"; content:"|22|getImageByPath|22|"; reference:url,labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/; reference:cve,2024-48248; classtype:web-application-attack; sid:2060506; rev:1; metadata:affected_product Naviko, attack_target Server, tls_state TLSDecrypt, created_at 2025_03_03, cve CVE_2024_48248, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_03_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes↗
|22|STPreLoadManagement|22|
bytes↗
|22|getImageByPath|22|
- →On Linux targets, a successful exploit response body will contain the ASCII decimal encoding of 'root:' (114,111,111,116,58) and the string 'STPreLoadManagement' with HTTP 200.
- →On Windows targets, a successful exploit response body will contain the ASCII decimal encoding of '; for' (59,32,102,111,114) and the string 'STPreLoadManagement' with HTTP 200.
- →Shodan/FOFA can be used to identify exposed NAKIVO instances as attack surface; query on page title 'NAKIVO'.
- →The vulnerability can expose PhysicalDiscovery cleartext credentials stored in configuration files, enabling lateral movement across the enterprise. ↗
- →Check Point IPS signature name for this CVE is 'NAKIVO Arbitrary File Read (CVE-2024-48248)'. ↗
- ·The Snort/ET rule (sid:2060506) requires TLS decryption to be effective when traffic is encrypted, as indicated by the metadata deployment tag 'SSLDecrypt' and 'tls_state TLSDecrypt'.
- ·The vulnerability was silently patched; organizations must actively verify they are running version 11.0.0.88174 or later, as no public advisory was issued at patch time. ↗
- ·Exploitation scope extends beyond file read — stolen credentials from configuration files and backups can unlock entire integrated infrastructure environments. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8j8g-6gw9-rjrf: NAKIVO Backup & Replication before 11
ghsa_unreviewed·2025-03-04
CVE-2024-48248 [HIGH] CWE-36 GHSA-8j8g-6gw9-rjrf: NAKIVO Backup & Replication before 11
NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials).
VulnCheck
NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
vulncheck·2024·CVSS 8.6
CVE-2024-48248 [HIGH] CWE-36 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
NAKIVO Backup and Replication contains an absolute path traversal vulnerability that enables an attacker to read arbitrary files.
Affected: NAKIVO Backup and Replication
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-16&host_type=src&vulnerability=cve-2024-48248; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-17&host_type=src&vulnerability=cve-2024-48248; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-0
CISA
NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
cisa·2025-03-19·CVSS 8.6
CVE-2024-48248 [HIGH] CWE-36 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
Vulnerability: NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
Affected: NAKIVO Backup and Replication
NAKIVO Backup and Replication contains an absolute path traversal vulnerability that enables an attacker to read arbitrary files.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://helpcenter.nakivo.com/Release-Notes/Content/Release-Notes.htm ; https://nvd.nist.gov/vuln/detail/CVE-2024-48248
Remediation Due Date: 2025-04-09
Suricata
ET WEB_SPECIFIC_APPS Naviko Unauthenticated Arbitrary File Read (CVE-2024-48248)
suricata·2025-03-03·CVSS 8.6
CVE-2024-48248 [HIGH] ET WEB_SPECIFIC_APPS Naviko Unauthenticated Arbitrary File Read (CVE-2024-48248)
ET WEB_SPECIFIC_APPS Naviko Unauthenticated Arbitrary File Read (CVE-2024-48248)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Naviko Unauthenticated Arbitrary File Read (CVE-2024-48248)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/c/router"; fast_pattern; http.request_body; content:"|22|STPreLoadManagement|22|"; content:"|22|getImageByPath|22|"; reference:url,labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/; reference:cve,2024-48248; classtype:web-application-attack; sid:2060506; rev:1; metadata:affected_product Naviko, attack_target Server, tls_state TLSDecrypt, created_at 2025_03_03, cve CVE_2024_48248, deployment Perimeter,
Nuclei
NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read
nuclei·CVSS 8.6
CVE-2024-48248 [HIGH] NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read
NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read
NAKIVO Backup & Replication is a data protection solution used for backing up and restoring virtualized and physical environments. A vulnerability has been identified in certain versions of NAKIVO Backup & Replication that allows an unauthenticated attacker to read arbitrary files on the underlying system.
Template:
id: CVE-2024-48248
info:
name: NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read
author: DhiyaneshDK
severity: high
description: |
NAKIVO Backup & Replication is a data protection solution used for backing up and restoring virtualized and physical environments. A vulnerability has been identified in certain versions of NAKIVO Backup & Replication that allows an unauthenti
Checkpoint
24th March – Threat Intelligence Report
blogs_checkpoint·2025-03-24
CVE-2024-48248 24th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24th March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Municipalities in four US states experienced cyberattacks that disrupted services for county offices, courts, and schools. Cleveland Municipal Court was hit by Qilin ransomware attack, forcing employees offline and delaying trials, while Strafford County, Pelham School District, and Derby Police Department also reported servi
Bleepingcomputer
CISA tags NAKIVO backup flaw as actively exploited in attacks
blogs_bleepingcomputer·2025-03-20·CVSS 8.6
CVE-2024-48248 [HIGH] CISA tags NAKIVO backup flaw as actively exploited in attacks
## CISA tags NAKIVO backup flaw as actively exploited in attacks
## Sergiu Gatlan
CISA has warned U.S. federal agencies to secure their networks against attacks exploiting a high-severity vulnerability in NAKIVO's Backup & Replication software.
Tracked as CVE-2024-48248 , this absolute path traversal flaw can be exploited by unauthenticated attackers to read arbitrary files on vulnerable devices.
The US-based backup and ransomware recovery software vendor silently patched the security flaw with the release of Backup & Replication v11.0.0.88174 in November, almost two months after being notified of the issue by cybersecurity company watchTowr, who discovered the vulnerability .
"Exploiting this vulnerability could expose sensitive data, including configuration files, backups, and crede
https://helpcenter.nakivo.com/Release-Notes/Content/Release-Notes.htmhttps://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/https://github.com/watchtowrlabs/nakivo-arbitrary-file-read-poc-CVE-2024-48248/?ref=labs.watchtowr.comhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-48248
2025-03-04
Published
2025-03-19
Added to CISA KEV
Exploited in the wild