CVE-2024-48248 in Backup & Replication Director
Summary
by MITRE • 03/04/2025
NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/22/2025
The vulnerability identified as CVE-2024-48248 affects NAKIVO Backup & Replication software versions prior to 11.0.0.88174, representing a critical security flaw that enables unauthorized file access through improper input validation. This vulnerability exists within the getImageByPath endpoint that interfaces with the /c/router path, allowing attackers to manipulate file paths and access arbitrary files on the system. The flaw stems from insufficient validation of user-supplied input parameters that are directly used in file system operations without proper sanitization or access control mechanisms.
The technical implementation of this vulnerability leverages absolute path traversal techniques that bypass normal file system access controls by constructing malicious file paths that can navigate beyond the intended directory boundaries. When the system processes requests to the getImageByPath endpoint, it fails to properly validate or sanitize the path parameter, enabling attackers to specify absolute paths that point to sensitive files outside the intended application scope. This weakness directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks.
The operational impact of this vulnerability extends beyond simple unauthorized file reading capabilities and can potentially lead to remote code execution across an entire enterprise network. The vulnerability becomes particularly dangerous when combined with the PhysicalDiscovery component that stores credentials in cleartext format, creating a chain of compromise where attackers can first gain file access through path traversal and then leverage stolen credentials to execute malicious code on target systems. This combination of vulnerabilities aligns with ATT&CK technique T1078.004, which covers valid accounts with default passwords, and T1566.001, which involves phishing with malicious attachments or links that could exploit this vulnerability.
Security practitioners should note that this vulnerability operates at the application layer and can be exploited without requiring authentication for the path traversal component, making it particularly dangerous in environments where the application is exposed to untrusted networks. The cleartext credential storage in PhysicalDiscovery components creates additional attack vectors that can be leveraged by threat actors to escalate privileges and move laterally within the network infrastructure. Organizations should immediately implement patch management procedures to update to version 11.0.0.88174 or higher, while also reviewing and securing credential storage mechanisms throughout their backup and replication infrastructure to prevent credential compromise.
The remediation strategy should include comprehensive network segmentation to limit access to backup systems, implementation of strict input validation controls for all file system operations, and immediate review of credential storage practices to eliminate cleartext passwords. Additionally, organizations should conduct thorough security assessments of their backup infrastructure to identify similar vulnerabilities and implement proper access controls that prevent unauthorized file system access. The vulnerability demonstrates the critical importance of input validation and proper access control mechanisms in preventing privilege escalation attacks that can compromise entire enterprise environments.