cbcvebase.
CVE-2007-1785
published 2007-03-31

CVE-2007-1785: The RPC service in mediasvr.exe in CA BrightStor ARCserve Backup 11.5 SP2 build 4237 allows remote attackers to execute arbitrary code via crafted xdr_handle_t…

PriorityP348high7.1CVSS 2.0
AVNACHAuSCCICAC
EXPLOIT
EPSS
15.35%
96.4th percentile
The RPC service in mediasvr.exe in CA BrightStor ARCserve Backup 11.5 SP2 build 4237 allows remote attackers to execute arbitrary code via crafted xdr_handle_t data in RPC packets, which is used in calculating an address for a function call, as demonstrated using the 191 (0xbf) RPC request.

Affected

7 ranges
VendorProductVersion rangeFixed in
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombrightstor_arcserve_backup
broadcombusiness_protection_suite
broadcomserver_protection_suite
cabrightstor_arcserve_backup
cabusiness_protection_suite

Detection & IOCsextracted from sources · hover to see the quote

filenamemediasvr.exe
port111
bytes
\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00
bytes
\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x09\x7e\x00\x00\x00\x01
bytes
\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03
  • Alert on outbound connections from mediasvr.exe or unexpected child processes (e.g., cmd.exe) spawned by mediasvr.exe, which may indicate successful exploitation and shellcode execution.
  • Detect inbound TCP connections to port 4444 on hosts running CA BrightStor ARCserve Backup, as the exploit payload binds a shell on that port.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.