XXE Vulnerability

Product Version: 11.0.1

Last Modified: 18 March 2025

Issue Details

Severity: Critical

Source: Reported via customer support channel.

An XML External Entity (XXE) vulnerability has been discovered in NAKIVO Backup & Replication 11.0.1.89945. It allows attackers to exploit the XML parsing mechanism, potentially granting unauthorized access to sensitive data. By injecting a malicious host parameter, an attacker can manipulate the system into connecting to a server under their control, enabling the retrieval of arbitrary files from the affected system.

If exploited, this vulnerability could lead to data leakage, unauthorized system access, and the compromise of backup and replication processes, posing a significant security risk.

Affected Versions

NAKIVO Backup & Replication version 11.0.1.89945 and earlier versions.

Solution

The vulnerability has been addressed in NAKIVO Backup & Replication version 11.0.2. To mitigate this vulnerability, we strongly recommend taking the following actions:

Upgrade to a Secure Version

Download and upgrade to the latest version of NAKIVO Backup & Replication.