cbcvebase.
CVE-2024-0799
published 2024-03-13

CVE-2024-0799: An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.34%
90.0th percentile
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.

Affected

3 ranges
VendorProductVersion rangeFixed in
arcserveudp
arcserveudp
arcserveunified_data_protection<= 9.2

Detection & IOCsextracted from sources · hover to see the quote

url/management/wizardLogin
url/management/centralmanagementui/service/configuration
cookieEDGEJSESSIONID
cookienotShowWizard
port8015
pathC:\Program Files\Arcserve\Unified Data Protection\Management\Report\Temp\2023_12_01__20_54_58_355\/../../../../../../../../..//Windows/System32/existing_exe_to_be_replaced.exe
othershodan:http.favicon.hash:1015186617
otherfofa:icon_hash="1015186617"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection wizardLogin Authentication Bypass (CVE-2024-0799)"; flow:established,to_server; http.uri; content:"/management/wizardLogin"; fast_pattern; startswith; content:!"password|3d|"; http.method; content:"POST"; reference:url,www.tenable.com/security/research/tra-2024-07; reference:cve,2024-0799; classtype:web-application-attack; sid:2065740; rev:1; metadata:affected_product Arcserve_UDP, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_12, cve CVE_2024_0799, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit request is a POST to /management/wizardLogin with NO 'password' parameter in the body — the absence of the password field is the key bypass trigger.
  • Successful authentication bypass results in an HTTP 302 redirect and Set-Cookie headers containing both 'EDGEJSESSIONID' and 'notShowWizard'.
  • The Snort/ET rule detects the attack by matching POST requests to URI starting with /management/wizardLogin that do NOT contain 'password=' (URL-encoded as 'password|3d|') in the request.
  • After auth bypass, chained exploitation uploads files via path traversal through the ImportNodeServlet; monitor for file writes under the UDP Management Report/Temp directory with /../ sequences traversing to system paths.
  • The UDP Console listens on port 8015; monitor for unauthenticated POST requests to this port targeting /management/wizardLogin.
  • Arcserve UDP Console can be fingerprinted via favicon hash 1015186617 on Shodan/FOFA for exposure assessment.
  • ·The bypass only triggers when the 'password' parameter is entirely absent (NULL) from the POST body — passing an empty string does NOT trigger the vulnerable code path; the null-check branch is what invokes UUID-based authentication.
  • ·The Snort rule (sid:2065740) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect HTTPS traffic to the UDP Console; without SSL inspection the rule will not fire on encrypted sessions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.