CVE-2015-4068
published 2015-05-29CVE-2015-4068: Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via…
PriorityP183critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
63.64%
99.1th percentile
Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcserve | udp | < 5.0 | 5.0 |
| arcserve | udp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Directory traversal attack targeting the 'reportFileServlet' servlet endpoint in Arcserve UDP ↗
- →Directory traversal attack targeting the 'exportServlet' servlet endpoint in Arcserve UDP ↗
- ·Vulnerability affects Arcserve UDP versions prior to 5.0 Update 4 only; patched versions are not affected. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.09.4CRITICALAV:N/AC:L/Au:N/C:C/I:N/A:C
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Arcserve UDP up to 5.0 Update 3 path traversal (BID-74845 / ID 800720)
vuldb·2026-04-22·CVSS 9.1
CVE-2015-4068 [CRITICAL] Arcserve UDP up to 5.0 Update 3 path traversal (BID-74845 / ID 800720)
A vulnerability labeled as critical has been found in Arcserve UDP up to 5.0 Update 3. The impacted element is an unknown function. Executing a manipulation can lead to path traversal.
This vulnerability is registered as CVE-2015-4068. It is possible to launch the attack remotely. Furthermore, an exploit is available.
The affected component should be upgraded.
GHSA
GHSA-rcg3-4524-mq7j: Directory traversal vulnerability in Arcserve UDP before 5
ghsa_unreviewed·2022-05-17
CVE-2015-4068 [HIGH] CWE-22 GHSA-rcg3-4524-mq7j: Directory traversal vulnerability in Arcserve UDP before 5
Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet.
VulnCheck
Arcserve Unified Data Protection (UDP) Directory Traversal Vulnerability
vulncheck·2015·CVSS 9.1
CVE-2015-4068 [CRITICAL] CWE-22 Arcserve Unified Data Protection (UDP) Directory Traversal Vulnerability
Arcserve Unified Data Protection (UDP) Directory Traversal Vulnerability
Directory traversal vulnerability in Arcserve UDP allows remote attackers to obtain sensitive information or cause a denial of service.
Affected: Arcserve Unified Data Protection
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blog.checkpoint.com/security/december-2021s-most-wanted-malware-trickbot-emotet-and-the-log4j-plague/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.checkpoint.com/security/april-2022s-most-wanted-malware-a-shake-up-in-the-index-but-emotet-is-still-on-top/; https://blog.checkpoint.com/security/april-2024s-most-wanted-malware-surge-in-androxgh0st-attacks-and-the-decline-of-lockbit3/; https://blog.chec
CISA
Arcserve Unified Data Protection (UDP) Directory Traversal Vulnerability
cisa·2022-03-25·CVSS 9.1
CVE-2015-4068 [CRITICAL] CWE-22 Arcserve Unified Data Protection (UDP) Directory Traversal Vulnerability
Vulnerability: Arcserve Unified Data Protection (UDP) Directory Traversal Vulnerability
Affected: Arcserve Unified Data Protection (UDP)
Directory traversal vulnerability in Arcserve UDP allows remote attackers to obtain sensitive information or cause a denial of service.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-4068
Remediation Due Date: 2022-04-15
No detection rules found.
No public exploits indexed.
http://documentation.arcserve.com/Arcserve-UDP/Available/V5/ENU/Bookshelf_Files/HTML/Update%204/UDP_Update4_ReleaseNotes.htmlhttp://www.securityfocus.com/bid/74845http://www.zerodayinitiative.com/advisories/ZDI-15-241/http://www.zerodayinitiative.com/advisories/ZDI-15-242/http://documentation.arcserve.com/Arcserve-UDP/Available/V5/ENU/Bookshelf_Files/HTML/Update%204/UDP_Update4_ReleaseNotes.htmlhttp://www.securityfocus.com/bid/74845http://www.zerodayinitiative.com/advisories/ZDI-15-241/http://www.zerodayinitiative.com/advisories/ZDI-15-242/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4068
2015-05-29
Published
2022-03-25
Added to CISA KEV
Exploited in the wild