CVE-2024-48248

What is NAKIVO Backup and Replication?

NAKIVO Backup and Replication is an enterprise data protection platform used by organizations to back up VMware, Hyper-V, Nutanix, and physical workloads, as well as cloud services like AWS EC2, Microsoft 365, and Google Workspace. It is deployed as a virtual appliance or installed on Windows/Linux servers and manages backup jobs, replication schedules, and recovery workflows for the organization's entire IT environment. Because it has read access to virtually every server, VM, and cloud workload in an environment, a compromised NAKIVO instance can expose an organization's most sensitive data and configuration.

Overview

CVE-2024-48248 is an absolute path traversal vulnerability in NAKIVO Backup and Replication that allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem by sending crafted HTTP requests. This includes sensitive files such as backup configuration databases, stored credentials, and API keys used to authenticate to the protected infrastructure. The vulnerability carries a Scope: Changed rating, reflecting that reading files from the NAKIVO server can expose credentials for and control over other systems. CISA added it to the KEV catalog in March 2025, confirming active exploitation.

Affected Versions

Technical Details

CWE-36 (Absolute Path Traversal). The NAKIVO web interface exposes an API endpoint that accepts a file path parameter. The application does not validate that the supplied path stays within an expected base directory — an attacker can provide an absolute path (e.g., /etc/shadow, /opt/nakivo/config/...) and receive the file contents in the response, without authenticating. Because NAKIVO runs with sufficient OS privileges to access its own configuration data, an unauthenticated attacker can retrieve:

• NAKIVO's internal configuration database (containing credentials for all integrated backup targets)
• VMware vCenter credentials
• Hyper-V host credentials
• AWS access keys and cloud storage credentials
• Microsoft 365 and Google Workspace service account tokens
• The NAKIVO admin password hash

With these credentials, an attacker moves from unauthenticated file read to full control over the backup infrastructure and, subsequently, the systems being backed up.

Discovery

Reported to NAKIVO, which released version 11.0.0.88174 on March 4, 2025. The CISA KEV addition followed fifteen days later, indicating confirmed in-the-wild exploitation.

Exploitation Context

Backup and recovery infrastructure is a priority target for ransomware operators — destroying or encrypting backups prevents victims from recovering without paying. An attacker who reads NAKIVO credentials can access and delete all backup jobs and recovery points, then proceed to encrypt production systems knowing the victim has no clean restore path. The unauthenticated nature of this vulnerability (no credentials required) makes it trivially exploitable by automated scanners targeting internet-accessible NAKIVO management interfaces.

Remediation

1. Upgrade NAKIVO Backup and Replication to version 11.0.0.88174 or later immediately.
2. Restrict the NAKIVO management interface to a dedicated management network — it should never be internet-accessible.
3. After patching, rotate all credentials stored in NAKIVO: vCenter passwords, Hyper-V credentials, cloud access keys (AWS, Azure, GCP), and Microsoft 365 / Google Workspace service accounts.
4. Review NAKIVO access logs for unauthorized API requests that may indicate exploitation prior to patching.
5. Verify backup integrity — confirm recovery points were not deleted or tampered with during the exposure window.
6. Enable MFA on the NAKIVO admin console and all integrated management platforms where supported.