The US-based backup and ransomware recovery software vendor silently patched the security flaw with the release of Backup & Replication v11.0.0.88174 in November, almost two months after being notified of the issue by cybersecurity company watchTowr, who discovered the vulnerability. CISA has warned U.S. federal agencies to secure their networks against attacks exploiting a high-severity vulnerability in NAKIVO's Backup & Replication software. Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until April 9th, to secure their systems against attacks, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021. "Exploiting this vulnerability could expose sensitive data, including configuration files, backups, and credentials, potentially leading to data breaches or further security compromises," NAKIVO explains. Today, CISA added CVE-2024-48248 to its Known Exploited Vulnerabilities catalog, which lists security bugs flagged by the cybersecurity agency as exploited in the wild. While BOD 22-01 only applies to federal agencies, all organizations are advised to prioritize patching this vulnerability as soon as possible to block ongoing attacks. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said. Tracked as CVE-2024-48248, this absolute path traversal flaw can be exploited by unauthenticated attackers to read arbitrary files on vulnerable devices.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 20 Mar 2025 21:15:04 +0000