cbcvebase.
CVE-2023-26258
published 2023-07-03

CVE-2023-26258: Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
38.36%
98.4th percentile
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.

Affected

1 ranges
VendorProductVersion rangeFixed in
arcserveudp<= 9.0.6034

Detection & IOCsextracted from sources · hover to see the quote

url/WebServiceImpl/services/FlashServiceImpl
url/WebServiceImpl/services/VirtualStandbyServiceImpl
otherns5:authUUID
other([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})
otherhttp.favicon.hash:-1889244460
othericon_hash="-1889244460"
  • Detect exploitation attempt: HTTP POST to /WebServiceImpl/services/FlashServiceImpl with SOAPAction header to invoke getVersionInfo and leak the AuthUUID token.
  • Detect second-stage exploitation: HTTP POST to /WebServiceImpl/services/VirtualStandbyServiceImpl using the extracted AuthUUID to obtain a valid privileged session.
  • Successful AuthUUID leak is confirmed when the response body contains 'ns5:authUUID', HTTP 200, and Content-Type text/xml.
  • Successful session hijack is confirmed when the response body contains 'ns5:uuid', 'ns5:userName', and 'ns5:password' fields.
  • Identify Arcserve UDP web panels exposed on the internet using Shodan favicon hash -1889244460 or FOFA icon_hash query.
  • Arcserve UDP panel fingerprint: response body contains 'Arcserve UDP' or '/arcserve.js' with HTTP 200.
  • ·The authentication bypass affects Arcserve UDP through version 9.0.6034; the vulnerability allows any unauthenticated user to escalate to administrator by chaining two SOAP endpoints.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.