CVE-2025-48248: 
WordPress vulnerability analysis and mitigation

NAKIVO Backup & Replication versions before 11.0.0.88174 contain an absolute path traversal vulnerability (CVE-2024-48248) that allows unauthenticated remote attackers to read files via getImageByPath to /c/router. The vulnerability was discovered by watchTowr researchers in September 2024 and was patched in version 11.0.0.88174 (Watchtowr Labs, Help Net Security).

The vulnerability is rated as HIGH severity with a CVSS v3.1 base score of 8.6 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). It is classified as an Absolute Path Traversal (CWE-36) vulnerability that may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials (NVD).

Exploitation of this vulnerability could expose sensitive data, including configuration files, backups, and credentials, potentially leading to data breaches or further security compromises. The exposure of cleartext credentials in PhysicalDiscovery could enable remote code execution across the enterprise (Help Net Security).

Organizations are advised to upgrade to NAKIVO Backup & Replication version 11.0.0.88174 or later. Additionally, system logs should be checked for unusual or unauthorized access attempts that may indicate exploitation. CISA has set a remediation date of April 9, 2025, for federal agencies to apply the vendor patches (NVD, Help Net Security).

The vulnerability has gained significant attention from the cybersecurity community, particularly due to its potential impact on backup systems, which are crucial targets for ransomware attackers. The delayed disclosure in the release notes and subsequent exploitation has raised concerns about the vendor's communication practices (Help Net Security).