- Nakivo Lapped an error with high difficulty in November 2024
- However, CISA has now added it to Kev that signalizes abuse in nature
- The error can lead to the execution of remote code
The US Cyber Security and Infrastructure Security Agency (CISA) added a Nakivo-Bug to its known utilized vulnerabilities (KEV) catalog, signaling wild abuse and giving government agencies a deadline to apply the specified patch.
The error in question is traced as CVE-2024-48248. It is an absolute path review vulnerability that affects the backup & replication software, in versions before 11.0.0.88174.
It has a severity of 8.6/10 (high) and can lead to remote code execution across the vulnerable business.
Cisa’s deadline
The error was patched in November 2024, two months after being tipped by Watchtowr Labs.
“Utilization of this vulnerability can postpone sensitive data, including configuration files, backups and credentials, which could potentially lead to data violations or additional security comedes,” Nakivo said in his security advice.
While security advice does not discuss the idea of abuse in nature, CISA removed some doubt when it added the error to the KEV catalog. Now the federal civilian executive branch (FCEB) has agencies three weeks (until April 9), to use patchet or stop using the Nakivo product completely.
“These types of vulnerabilities are frequent attack vectors for malicious cyclists and pose significant risks to the federal business,” Cisa said.
While FCEB agencies are mandatory by the binding operational Directive (BOD) 22-01, commercial companies are not. It would still be wise to follow CISA’s lead and apply the patch, especially by knowing that cyber criminals are actively exploiting the error.
Nakivo is an American-based company that specializes in backup, ransomware protection and disaster recovery solutions for virtual, physical, cloud and SaaS environments.
Backup & Replication is its flagship product, supporting platforms such as VMware VSPHere, Hyper-V, Nutanix AHV, Amazon AWS EC2, Microsoft Azure, Wasabi, Backblaze B2, Microsoft 365 and various NAS devices.
According to some reports, the company has 25,000 customers in 183 countries and a network of over 7,500 partners worldwide. Some of its clients include Honda, Cisco, Coca-Cola and Siemens. Their clientele spans several industries, including that, hospitality, government and education.
Via Bleeping computer
