CVE-2008-4397
published 2008-10-14CVE-2008-4397: Directory traversal vulnerability in the RPC interface (asdbapi.dll) in CA ARCserve Backup (formerly BrightStor ARCserve Backup) r11.1 through r12.0 allows…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
80.54%
99.6th percentile
Directory traversal vulnerability in the RPC interface (asdbapi.dll) in CA ARCserve Backup (formerly BrightStor ARCserve Backup) r11.1 through r12.0 allows remote attackers to execute arbitrary commands via a .. (dot dot) in an RPC call with opnum 0x10A.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | arcserve_backup | — | — |
| broadcom | business_protection_suite | — | — |
| broadcom | server_protection_suite | — | — |
| ca | arcserve_backup | — | — |
| ca | arcserve_backup | — | — |
| ca | business_protection_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\xff\xef\xff\xff\x44
- →Detect RPC calls over TCP port 6504 targeting UUID 506b1890-14c8-11d1-bbc3-00805fa6962e with opcode 0x342 (REPORTREMOTEEXECUTECML) or opnum 0x10A, which are the two attack vectors for this CVE. ↗
- →The exploit payload contains bad characters \x00\x0a\x0d\x5c\x5f\x2f\x2e and a stack-adjustment prepend encoder stub \x81\xc4\xff\xef\xff\xff\x44; scanning for this byte sequence in RPC traffic on port 6504 can identify exploitation attempts. ↗
- →The vulnerable component is asdbapi.dll loaded by CA ARCserve Backup; presence of this DLL processing remote RPC calls should be monitored for unexpected child process creation (e.g., cmd.exe spawned by the ARCserve service). ↗
- ·The Metasploit module targets a specific build of BrightStor ARCserve r11.5 (build 3884) with a hardcoded return address in ASCORE.dll; the exploit will not work as-is against other builds or versions without retargeting. ↗
- ·The exploit requires the attacker to supply the NetBIOS hostname of the target (HNAME) as a mandatory argument; exploitation will fail without it. ↗
- ·The OS-specific directory path (winnt vs windows) and SEH payload offset differ between Windows 2000 (offset 442) and Windows XP (offset 436); the module explicitly rejects other OS targets. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3f52-g2gw-29vq: Directory traversal vulnerability in the RPC interface (asdbapi
ghsa_unreviewed·2022-05-02
CVE-2008-4397 [HIGH] CWE-20 GHSA-3f52-g2gw-29vq: Directory traversal vulnerability in the RPC interface (asdbapi
Directory traversal vulnerability in the RPC interface (asdbapi.dll) in CA ARCserve Backup (formerly BrightStor ARCserve Backup) r11.1 through r12.0 allows remote attackers to execute arbitrary commands via a .. (dot dot) in an RPC call with opnum 0x10A.
Citrix
Citrix Security Bulletin CTX116930
vendor_citrix·CVSS 10.0
CVE-2008-2528 [CRITICAL] Citrix Security Bulletin CTX116930
Citrix Security Bulletin CTX116930
CVE References: CVE-2008-2528, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX116310
vendor_citrix·CVSS 6.8
CVE-2008-4676 [MEDIUM] Citrix Security Bulletin CTX116310
Citrix Security Bulletin CTX116310
CVE References: CVE-2008-4676, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX116227
vendor_citrix·CVSS 1.9
CVE-2008-6561 [LOW] Citrix Security Bulletin CTX116227
Citrix Security Bulletin CTX116227
CVE References: CVE-2008-6561, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX114487
vendor_citrix·CVSS 10.0
CVE-2008-0356 [CRITICAL] Citrix Security Bulletin CTX114487
Citrix Security Bulletin CTX114487
CVE References: CVE-2008-0356, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX117751
vendor_citrix·CVSS 7.2
CVE-2008-5121 [HIGH] Citrix Security Bulletin CTX117751
Citrix Security Bulletin CTX117751
CVE References: CVE-2008-5121, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX114893
vendor_citrix·CVSS 5.0
CVE-2008-2299 [MEDIUM] Citrix Security Bulletin CTX114893
Citrix Security Bulletin CTX114893
CVE References: CVE-2008-2299, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX118768
vendor_citrix·CVSS 4.0
CVE-2008-6830 [MEDIUM] Citrix Security Bulletin CTX118768
Citrix Security Bulletin CTX118768
CVE References: CVE-2008-6830, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX117814
vendor_citrix·CVSS 4.3
CVE-2008-3253 [MEDIUM] Citrix Security Bulletin CTX117814
Citrix Security Bulletin CTX117814
CVE References: CVE-2008-3253, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX116941
vendor_citrix·CVSS 6.5
CVE-2008-2300 [MEDIUM] Citrix Security Bulletin CTX116941
Citrix Security Bulletin CTX116941
CVE References: CVE-2008-2300, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX116228
vendor_citrix·CVSS 1.9
CVE-2008-5107 [LOW] Citrix Security Bulletin CTX116228
Citrix Security Bulletin CTX116228
CVE References: CVE-2008-5107, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
Exploit-DB
Computer Associates ARCserve - REPORTREMOTEEXECUTECML Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2008-4397 Computer Associates ARCserve - REPORTREMOTEEXECUTECML Buffer Overflow (Metasploit)
Computer Associates ARCserve - REPORTREMOTEEXECUTECML Buffer Overflow (Metasploit)
---
##
# $Id: ca_arcserve_342.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Computer Associates BrighStor ARCserve r11.5 (build 3884).
By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer
and execute arbitrary code. In order to successfully explo
Metasploit
Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow
metasploit
Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow
Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow
This module exploits a buffer overflow in Computer Associates BrightStor ARCserve r11.5 (build 3884). By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer and execute arbitrary code. In order to successfully exploit this vulnerability, you will need set the hostname argument (HNAME).
No writeups or analysis indexed.
http://secunia.com/advisories/32220http://securityreason.com/securityalert/4412http://www.securityfocus.com/archive/1/497218http://www.securityfocus.com/archive/1/497281/100/0/threadedhttp://www.securityfocus.com/bid/31684http://www.securitytracker.com/id?1021032http://www.vupen.com/english/advisories/2008/2777https://exchange.xforce.ibmcloud.com/vulnerabilities/45774https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143http://secunia.com/advisories/32220http://securityreason.com/securityalert/4412http://www.securityfocus.com/archive/1/497218http://www.securityfocus.com/archive/1/497281/100/0/threadedhttp://www.securityfocus.com/bid/31684http://www.securitytracker.com/id?1021032http://www.vupen.com/english/advisories/2008/2777https://exchange.xforce.ibmcloud.com/vulnerabilities/45774https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143
2008-10-14
Published