CVE-2024-48248 Overview
CVE-2024-48248 is an absolute path traversal vulnerability affecting NAKIVO Backup & Replication before version 11.0.0.88174. The vulnerability allows unauthenticated attackers to read arbitrary files from the affected system via the getImageByPath function accessible through the /c/router endpoint. This vulnerability is particularly severe because the PhysicalDiscovery component stores cleartext credentials, which means successful exploitation can lead to remote code execution across the enterprise environment.
Critical Impact
This vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Successful exploitation allows attackers to read sensitive files including cleartext credentials, potentially leading to full enterprise compromise.
Affected Products
- NAKIVO Backup & Replication Director versions prior to 11.0.0.88174
- All deployment configurations of NAKIVO Backup & Replication using vulnerable versions
- Enterprise environments utilizing PhysicalDiscovery with stored credentials
Discovery Timeline
- 2025-03-04 - CVE-2024-48248 published to NVD
- 2025-11-05 - Last updated in NVD database
Technical Details for CVE-2024-48248
Vulnerability Analysis
This vulnerability is classified as an Absolute Path Traversal (CWE-36) issue that enables unauthenticated remote attackers to access arbitrary files on the target system. The vulnerable endpoint /c/router accepts a getImageByPath request that fails to properly validate or sanitize the file path parameter. By manipulating this parameter with absolute path sequences, attackers can escape the intended directory restrictions and read any file accessible by the NAKIVO service account.
The severity of this vulnerability is compounded by the fact that NAKIVO Backup & Replication's PhysicalDiscovery component stores credentials in cleartext. When an attacker successfully exploits this path traversal vulnerability to read these credential files, they gain access to authentication material that can be used to compromise additional systems within the enterprise infrastructure.
Root Cause
The root cause of CVE-2024-48248 is improper input validation in the getImageByPath function within the /c/router endpoint. The application fails to implement adequate path canonicalization or validation checks before processing file read operations. This allows attackers to supply absolute file paths that bypass intended directory restrictions. The absence of authentication requirements on this endpoint further exacerbates the vulnerability by allowing unauthenticated network-based exploitation.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker with network access to the NAKIVO Backup & Replication web interface can send specially crafted HTTP requests to the /c/router endpoint. By manipulating the path parameter in getImageByPath requests, the attacker can traverse the file system and read sensitive files.
The attack flow typically involves:
- Identifying a vulnerable NAKIVO Backup & Replication instance exposed to the network
- Sending crafted HTTP requests to /c/router with the getImageByPath function
- Using absolute paths to read configuration files, credential stores, and other sensitive data
- Leveraging discovered cleartext credentials from PhysicalDiscovery for lateral movement and remote code execution
For detailed technical analysis and proof-of-concept information, refer to the Watchtowr CVE-2024-48248 Analysis and the GitHub PoC repository.
Detection Methods for CVE-2024-48248
Indicators of Compromise
- HTTP requests to /c/router containing getImageByPath with absolute file paths or path traversal sequences
- Unusual access patterns to NAKIVO Backup & Replication web interface from external IP addresses
- Evidence of credential theft or unauthorized authentication attempts using credentials stored in PhysicalDiscovery
- Log entries showing access to sensitive system files such as /etc/passwd, configuration files, or credential stores
Detection Strategies
- Monitor web server logs for requests to /c/router endpoints containing suspicious path parameters
- Implement network-based detection rules for HTTP traffic containing path traversal patterns targeting NAKIVO instances
- Deploy file integrity monitoring on NAKIVO configuration directories to detect unauthorized access attempts
- Correlate authentication events across the enterprise to identify credential misuse following potential exploitation
Monitoring Recommendations
- Enable verbose logging on NAKIVO Backup & Replication instances to capture detailed request information
- Configure SIEM alerts for anomalous access patterns to backup infrastructure components
- Monitor for outbound connections from NAKIVO servers that may indicate data exfiltration or command-and-control activity
- Implement network segmentation monitoring to detect lateral movement attempts using compromised credentials
How to Mitigate CVE-2024-48248
Immediate Actions Required
- Upgrade NAKIVO Backup & Replication to version 11.0.0.88174 or later immediately
- Restrict network access to NAKIVO Backup & Replication management interfaces to trusted administrative networks only
- Rotate all credentials stored in PhysicalDiscovery as they may have been compromised
- Conduct forensic analysis on systems running vulnerable versions to identify potential exploitation
Patch Information
NAKIVO has addressed this vulnerability in version 11.0.0.88174 and later releases. Organizations should review the Nakivo Release Notes for detailed upgrade information and apply the security update as a priority. Given that this vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, federal agencies are required to remediate within the specified deadline, and all organizations should treat this as an urgent priority.
Workarounds
- Implement strict network access controls to limit exposure of NAKIVO management interfaces to only necessary administrative hosts
- Deploy web application firewall (WAF) rules to block requests containing path traversal patterns to /c/router
- Place NAKIVO Backup & Replication instances behind a VPN or bastion host to prevent direct internet exposure
- Monitor and audit all access to the NAKIVO web interface while awaiting patch deployment
# Example: Restrict access to NAKIVO using iptables
# Allow only trusted admin network (10.0.1.0/24) to access NAKIVO web interface
iptables -A INPUT -p tcp --dport 4443 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 4443 -j DROP
# Example: Block path traversal attempts at firewall level
# (Implement similar rules in your WAF or reverse proxy)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
