Summary: Data protection firm Nakivo has patched a critical vulnerability in its backup and replication products after being informed by a security vendor, but it’s unclear if affected customers were notified prior to the patch. The vulnerability allowed unauthenticated attackers to read sensitive files and steal credentials, posing a significant security risk. The patch was released in November 2024, approximately six weeks after the vulnerability was disclosed to Nakivo.
Affected: Nakivo, and its customers globally, potentially including major companies like Coca-Cola, Cisco, Honda, and Siemens.
Keypoints :
- The vulnerability, identified as CVE-2024-48248, was discovered by watchTowr and allowed attackers to exploit Nakivo’s management interface.
- It took less than a day for researchers to find and exploit the vulnerability, using common search engine tools.
- Nakivo issued a patch in November 2024 but has not publicly clarified which versions were affected or if customers were privately informed.
Source: https://www.darkreading.com/application-security/nakivo-fixes-critical-flaw-backup-replication-tool