cbcvebase.
CVE-2011-3011
published 2011-08-15

CVE-2011-3011: BaseServiceImpl.class in CA ARCserve D2D r15 does not properly handle sessions, which allows remote attackers to obtain credentials, and consequently execute…

PriorityP261medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
72.26%
99.4th percentile
BaseServiceImpl.class in CA ARCserve D2D r15 does not properly handle sessions, which allows remote attackers to obtain credentials, and consequently execute arbitrary commands, via unspecified vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
caarcserve_d2d

Detection & IOCsextracted from sources · hover to see the quote

port8014
path/contents/service/homepage
otherContent-Type: text/x-gwt-rpc; charset=utf-8
  • Alert on cleartext credential disclosure in HTTP responses containing both '"user"' and '"password"' JSON keys from the CA ARCserve D2D web service on port 8014, indicating successful exploitation.
  • After credential disclosure, the exploit chains into SMB/PsExec lateral movement on port 445 using harvested Windows Administrator credentials — correlate port 8014 exploitation with subsequent SMB activity to the same host.
  • The vulnerability resides in BaseServiceImpl.class in CA ARCserve D2D r15; monitor for unauthenticated or session-less GWT RPC calls to the homepage servlet as an indicator of exploitation.
  • ·The disclosed credentials are Windows Administrator-level credentials, meaning successful exploitation grants full OS-level access — not just application access.
  • ·Credentials are returned in cleartext within the HTTP response body, making network-level interception (e.g., passive sniffing on port 8014) also a viable detection/collection vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.