What happened

CISA added CVE-2024-48248 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-03-19, confirming active exploitation in the wild (CISA KEV). The affected product is NAKIVO Backup and Replication (CISA KEV). The flaw is an absolute path traversal that enables attackers to read arbitrary files on the host system (NVD CVE-2024-48248). CISA set a remediation due date of 2025-04-09 for Federal Civilian Executive Branch agencies (CISA KEV). The issue maps to CWE-36 (Absolute Path Traversal) (MITRE CWE-36).

Why it matters

Arbitrary file read via path traversal can expose configuration files, credentials, keys, and tokens that reside on the backup server’s filesystem (MITRE CWE-36). Backup/replication platforms often hold sensitive data and connectivity to production systems, so file disclosure on these services is a high-impact foothold (NVD CVE-2024-48248). Inclusion in CISA’s KEV means exploitation has been observed and remediation is mandatory within the KEV timeline for FCEB agencies (CISA KEV).

Technical detail

CVE-2024-48248 is classified as an Absolute Path Traversal (CWE-36), where user-controlled input is improperly validated and resolved into filesystem paths (MITRE CWE-36). By supplying absolute paths (for example, “/etc/passwd”) or traversal sequences that resolve to absolute locations, an attacker can coerce the service into returning arbitrary files readable by the service account (MITRE CWE-36). The CVE record explicitly notes the ability to read arbitrary files and maps the weakness to CWE-36, confirming the exposure class (NVD CVE-2024-48248). CISA’s KEV entry confirms exploitation in the wild and assigns the remediation deadline, elevating this issue to immediate action status for covered entities (CISA KEV). MITRE also tracks the CVE, aligning on the vulnerability identification and references for ongoing updates (MITRE CVE).

Defense

CISA directs organizations to apply mitigations per the vendor’s instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable (CISA KEV). Prioritize remediation before the 2025-04-09 KEV due date, with exception processes tightly governed if business constraints delay changes (CISA KEV). Where immediate patching/mitigation isn’t possible, reduce exposure by isolating management interfaces and restricting requests that can influence path resolution, consistent with handling of CWE-36 classes (MITRE CWE-36). Validate that any compensating control explicitly blocks absolute path resolution to sensitive locations and test against common absolute paths (e.g., OS password/shadow files) to ensure no disclosure path remains (MITRE CWE-36). Track vendor advisories and NVD/MITRE entries for updates as more detail on affected builds and fixes is published (NVD CVE-2024-48248, MITRE CVE).

Lyrie Verdict

This KEV-listed, actively exploited path traversal in a backup platform demands autonomous detection and response that operates faster than interactive attackers (CISA KEV). Instrument detections for anomalous absolute-path resolution in request parameters and immediate file-read attempts to high-value locations consistent with CWE-36 behavior (MITRE CWE-36). When a traversal indicator is confirmed against this CVE class, automated containment should isolate the service before the actor pivots or exfiltrates secrets (NVD CVE-2024-48248).