The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting NAKIVO Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2024-48248 (CVSS score: 8.6), an absolute path traversal bug that could allow an unauthenticated attacker to read files on the target host, including sensitive ones such as "/etc/shadow" via the endpoint "/c/router." It affects all versions of the software prior to version 10.11.3.86570.
"NAKIVO Backup and Replication contains an absolute path traversal vulnerability that enables an attacker to read arbitrary files," CISA said in an advisory.
Successful exploitation of the shortcoming could allow an adversary to read sensitive data, including configuration files, backups, and credentials, which could then act as a stepping stone for further compromises.
There are currently no details on how the vulnerability is being exploited in the wild, but the development comes after watchTowr Labs published a proof-of-concept (PoC) exploit towards the end of last month. The issue has been addressed as of November 2024 with version v11.0.0.88174.
The cybersecurity firm further noted that the unauthenticated arbitrary file read vulnerability could be weaponized to obtain all stored credentials utilized by the target NAKIVO solution and hosted on the database "product01.h2.db."
Also added to the KEV catalog are two other flaws -
- CVE-2025-1316 (CVSS score: 9.3) - Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests (Unpatched due to the device reaching end-of-life)
- CVE-2017-12637 (CVSS score: 7.5) - SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string
Last week, Akamai revealed that CVE-2025-1316 is being weaponized by bad actors to target cameras with default credentials in order to deploy at least two different Mirai botnet variants since May 2024.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by April 9, 2025, to secure their networks.
Update
SAP cybersecurity platform Onapsis said it has observed active exploitation attempts targeting CVE-2017-12637 in the wild, and that threat actors have used the flaw to obtain sensitive SAP configuration files from the underlying operating system.
"The nature of this particular directory transversal vulnerability allows an attacker to extract system files including credentials or the SAP Secure Store that can directly result in full system compromise," JP Perez-Etchegoyen, Onapsis CTO, and Paul Laudanski, director of security research, said in a report published on March 25, 2025.
The exploitation of CVE-2017-12637 can have severe ramifications, as it allows threat actors to exfiltrate all kinds of files, including the SAP Secure Store that can be used to extract privileged SAP user credentials. This could then allow the attackers to gain full access to the unprotected SAP application.
"The exploitation of CVE-2017-12637 is performed over HTTP(s), and its test is straightforward; an attacker can execute a GET method to the affected URL with a typical path traversal exploit," the company added. "Threat actors have demonstrated extensive knowledge about the affected SAP systems, using the vulnerability to obtain critical SAP configuration files from the operating system."
(The story was updated after publication on March 26, 2025, to include details about exploitation of CVE-2017-12637.)
