- NAKIVO patched a high-severity flaw in November 2024
- However CISA has now added it to KEV, signalling abuse in the wild
- The bug can lead to remote code execution
The US Cybersecurity and Infrastructure Security Agency (CISA) added a NAKIVO bug to its Known Exploited Vulnerabilities (KEV) catalog, signaling in-the-wild abuse and giving government agencies a deadline to apply the provided patch.
The bug in question is tracked as CVE-2024-48248. It is an absolute path traversal vulnerability affecting the Backup & Replication software, in versions before 11.0.0.88174.
It has a severity score of 8.6/10 (high) and can lead to remote code execution across the vulnerable enterprise.
CISA’s deadline
The bug was patched in November 2024, two months after being tipped off by watchTowr Labs.
“Exploiting this vulnerability could expose sensitive data, including configuration files, backups, and credentials, potentially leading to data breaches or further security compromises,” NAKIVO said in its security advisory.
While the security advisory does not discuss the idea of abuse in the wild, CISA removed any doubt when it added the bug to the KEV catalog. Now, Federal Civilian Executive Branch (FCEB) agencies have three weeks (until April 9), to apply the patch, or stop using the NAKIVO product entirely.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
While FCEB agencies are mandated by the Binding Operational Directive (BOD) 22-01, commercial businesses are not. It would still be wise to follow CISA’s lead and apply the patch, especially knowing that cybercriminals are actively exploiting the bug.
NAKIVO is a US-based company, specializing in backup, ransomware protection, and disaster recovery solutions for virtual, physical, cloud, and SaaS environments.
Backup & Replication is its flagship product, supporting platforms such as VMware vSphere, Hyper-V, Nutanix AHV, Amazon AWS EC2, Microsoft Azure, Wasabi, Backblaze B2, Microsoft 365, and various NAS devices.
According to some reports, the company has 25,000 customers in 183 countries and a network of over 7,500 partners worldwide. Some of its clients include Honda, Cisco, Coca-Cola, and Siemens. Their clientele spans multiple industries, including IT, hospitality, government, and education.
Via BleepingComputer
Leave a comment