A high-severity security vulnerability has been identified in NAKIVO Backup & Replication, a popular data protection solution. The vulnerability, classified as an XML External Entity (XXE) issue and tracked as CVE-2025-32406, poses a significant risk to systems using affected versions of the software.
The security advisory from NAKIVO reveals that the XXE vulnerability resides within the Director NBR component of the Backup & Replication software. This flaw allows remote attackers to βfetch and parse the XML response, potentially granting unauthorized access to sensitive dataβ.
Essentially, an attacker can inject a malicious host parameter to manipulate the system. This manipulation forces the system to connect to a server under the attackerβs control. By doing so, the attacker gains the ability to retrieve arbitrary files from the compromised system.
The severity of this vulnerability is rated as high, with a CVSS base score of 8.6. This high score indicates the potential for significant damage and data loss if the vulnerability is exploited.
The affected versions of NAKIVO Backup & Replication range from 10.3.x up to 11.0.1. Users of these versions are strongly advised to take immediate action to secure their systems.
NAKIVO has addressed the XXE vulnerability in version 11.0.2 of Backup & Replication. The primary recommendation for mitigating this threat is to upgrade to this secure version.
By upgrading to version 11.0.2, organizations can effectively close the security gap and protect their valuable data from potential exploitation.