CVE-2025-32406

Product Version: 11.0.1

Last Modified: 07 April 2025

Issue Details

CVE-2025-32406

Severity: High

CVSS Base Score: 8.6

Source: Reported by L7sling via support channel.

An XML External Entity (XXE) vulnerability has been discovered in NAKIVO Backup & Replication 11.0.1.89945. An XXE issue in the Director NBR component in NAKIVO Backup & Replication 10.3.x through 11.0.1 allows remote attackers to fetch and parse the XML response, potentially granting unauthorized access to sensitive data. By injecting a malicious host parameter, an attacker can manipulate the system into connecting to a server under their control, enabling the retrieval of arbitrary files from the affected system.

Affected Versions

NAKIVO Backup & Replication version 10.3.x through 11.0.1.

Solution

The XXE vulnerability CVE-2025-32406 has been addressed in NAKIVO Backup & Replication version 11.0.2. To mitigate this vulnerability, we strongly recommend taking the following actions:

Upgrade to a Secure Version

Download and upgrade to the latest version of NAKIVO Backup & Replication.