Nakivo, a data protection and backup software company, quietly patched a critical unauthenticated arbitrary file read vulnerability (CVE-2024-48248) in its backup and replication product. The vulnerability was reported by security researchers at watchTowr in September 2024, and Nakivo released a patch two months later. However, it remains unclear if the company notified affected customers about the security risk before the patch.

The vulnerability was found in version 10.11.3.86570 of Nakivo's software and affected Director, the central management HTTP interface. Exploiting this flaw allowed attackers to steal backups, credentials, and gain full access to infrastructure environments, making it highly severe.

‍