The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has issued a warning a couple of severe vulnerability within the NAKIVO Backup and Replication software program, often known as CVE-2024-48248.

This vulnerability permits attackers to use an absolute path traversal flaw, enabling them to learn arbitrary information with out authentication.

The vulnerability resides within the Director Internet Interface of the NAKIVO Backup and Replication resolution, particularly within the STPreLoadManagement motion via the /c/router endpoint.

By manipulating the file path parameter, attackers can entry any file on the system the software program is working on. This consists of important system information and backup knowledge, which might result in unauthorized knowledge exfiltration or different malicious actions.

Affect and Exploitation

Given the character of the vulnerability, attackers can exploit it to learn delicate info akin to system information, database credentials, and backup knowledge.

The NAKIVO software program typically integrates with cloud environments, digital infrastructure, and community units, making the potential influence intensive.

The attackers might use this vulnerability to entry AWS keys, SSH credentials, or different privileged info saved by NAKIVO for backup operations.

Proof of Idea (PoC) Demonstrated

A proof-of-concept (PoC) for this vulnerability has been demonstrated. It entails sending a crafted request to the /c/router endpoint with the next payload:

POST /c/router HTTP/1.1

Host: {{Hostname}}

Content material-Kind: software/json

Connection: keep-alive

Content material-Size: 121

{

  "motion": "STPreLoadManagement",

  "methodology": "getImageByPath",

  "knowledge": ["C:/windows/win.ini"],

  "sort": "rpc",

  "tid": 3980,

  "sid": ""

}

This request makes use of the getImageByPath methodology of the STPreLoadManagement motion to learn the C:/home windows/win.ini file on a Home windows system.

Equally, attackers might use this methodology to learn delicate information like /and many others/shadow on Linux methods.

Mitigation and Vendor Response

NAKIVO has quietly patched the vulnerability in model 11.0.0.88174 and later releases.

The repair prevents listing traversal by guaranteeing that file paths are sanitized utilizing the FileUtils library, which constructs a secure file path by stripping mother or father listing references and path manipulation makes an attempt.

Within the patched model:

public byte[] getImageByPath(String path) throws IOException {

  String fileName = FilenameUtils.getName(path);

  File targetFile = FileUtils.getFile(new String[] { "userdata", "branding", fileName });

  if (!targetFile.exists() || !targetFile.canRead() || targetFile.isDirectory()) {

    throw new IOException(Lang.get("companies.branding.no.file", new Object[0]));

  }

  return FileUtils.readFileToByteArray(targetFile);

}

CISA recommends that customers apply vendor-provided patches instantly. If patches usually are not accessible, customers ought to think about discontinuing use of the product till a repair is offered.

Moreover, following greatest practices for securing cloud companies, as outlined in Binding Operational Directive (BOD) 22-01, can assist mitigate potential dangers related to vulnerabilities like CVE-2024-48248.

The NAKIVO vulnerability highlights the growing significance of securing backup options, significantly in environments the place these methods typically maintain important knowledge.

As ransomware assaults proceed to evolve, guaranteeing that backup mechanisms are strong and safe is essential.

Customers and organizations should stay vigilant and proactive in addressing vulnerabilities akin to CVE-2024-48248 to guard in opposition to rising threats.

Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Risk Intelligence Lookup - Attempt for Free

Mar 19, 2025Ravie LakshmananCloud Safety / Net Safety

The risk actors behind the ClearFake marketing campaign are utilizing faux reCAPTCHA or Cloudflare Turnstile verifications as lures to trick customers into downloading malware comparable to Lumma Stealer and Vidar Stealer.

ClearFake, first highlighted in July 2023, is the identify given to a risk exercise cluster that employs faux internet browser replace baits on compromised WordPress as a malware distribution vector.

The marketing campaign can also be identified for counting on one other approach generally known as EtherHiding to fetch the next-stage payload by using Binance’s Good Chain (BSC) contracts as a option to make the assault chain extra resilient. The top purpose of those an infection chains is to ship information-stealing malware able to focusing on each Home windows and macOS methods.

As of Might 2024, ClearFake assaults have adopted what has by now come to be generally known as ClickFix, a social engineering ploy that includes deceiving customers into operating malicious PowerShell code underneath the guise of addressing a non-existent technical difficulty.

“Though this new ClearFake variant continues to depend on the EtherHiding approach and the ClickFix tactic, it has launched further interactions with the Binance Good Chain,” Sekoia stated in a brand new evaluation.

“By utilizing sensible contract’s Utility Binary Interfaces, these interactions contain loading a number of JavaScript codes and extra assets that fingerprint the sufferer’s system, in addition to downloading, decrypting and displaying the ClickFix lure.”

The newest iteration of the ClearFake framework marks a major evolution, adopting Web3 capabilities to withstand evaluation and encrypting the ClickFix-related HTML code.

The online result’s an up to date multi-stage assault sequence that is initiated when a sufferer visits a compromised website, which then results in the retrieval of an intermediate JavaScript code from BSC. The loaded JavaScript is subsequently chargeable for fingerprinting the system and fetching the encrypted ClickFix code hosted on Cloudflare Pages.

Ought to the sufferer observe via and execute the malicious PowerShell command, it results in the deployment of Emmenhtal Loader (aka PEAKLIGHT) that subsequently drops Lumma Stealer.

Sekoia stated it noticed an alternate ClearFake assault chain in late January 2025 that served a PowerShell loader chargeable for putting in Vidar Stealer. As of final month, not less than 9,300 web sites have been contaminated with ClearFake.

“The operator has persistently up to date the framework code, lures, and distributed payloads every day,” it added. “ClearFake execution now depends on a number of items of information saved within the Binance Good Chain, together with JavaScript code, AES key, URLs internet hosting lure HTML information, and ClickFix PowerShell instructions.”

“The variety of web sites compromised by ClearFake recommend that this risk stays widespread and impacts many customers worldwide. In July 2024, […] roughly 200,000 distinctive customers have been doubtlessly uncovered to ClearFake lures encouraging them to obtain malware.”

The event comes as over 100 auto dealership websites have been found compromised with ClickFix lures that result in the deployment of SectopRAT malware.

“The place this an infection on the auto dealerships occurred was not on the dealership’s personal web site, however a third-party video service,” stated safety researcher Randy McEoin, who detailed a few of the earliest ClearFake campaigns in 2023, describing the incident for example of a provide chain assault.

The video service in query is LES Automotive (“idostream[.]com”), which has since eliminated the malicious JavaScript injection from the location.

The findings additionally coincide with the invention of a number of phishing campaigns which might be engineered to push numerous malware households and conduct credential harvesting –

• Utilizing digital onerous disk (VHD) information embedded inside archive file attachments in e-mail messages to distribute Venom RAT by way of a Home windows batch script
• Utilizing Microsoft Excel file attachments that exploit a identified safety flaw (CVE-2017-0199) to obtain an HTML Utility (HTA) that then makes use of Visible Primary Script (VBS) to fetch a picture, which comprises one other payload chargeable for decoding and launching AsyncRAT and Remcos RAT
• Exploiting misconfigurations in Microsoft 365 infrastructure to take management of tenants, create new administrative accounts, and ship phishing content material that bypasses e-mail safety protections and in the end facilitates credential harvesting and account takeover (ATO)

As social engineering campaigns proceed to change into extra refined, it is important that organizations and companies keep forward of the curve and implement sturdy authentication and access-control mechanisms towards Adversary-in-the-Center (AitM) and Browser-in-the-Center (BitM) methods that permit attackers to hijack accounts.

“A pivotal advantage of using a BitM framework lies in its speedy focusing on functionality, permitting it to achieve any web site on the internet in a matter of seconds and with minimal configuration,” Google-owned Mandiant stated in a report revealed this week.

“As soon as an software is focused via a BitM software or framework, the professional website is served via an attacker-controlled browser. This makes the excellence between a professional and a faux website exceptionally difficult for a sufferer. From the attitude of an adversary, BitM permits for a easy but efficient technique of stealing classes protected by MFA.”