CVE-2024-0799
published 2024-03-13CVE-2024-0799: An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.34%
90.0th percentile
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcserve | udp | — | — |
| arcserve | udp | — | — |
| arcserve | unified_data_protection | <= 9.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
pathC:\Program Files\Arcserve\Unified Data Protection\Management\Report\Temp\2023_12_01__20_54_58_355\/../../../../../../../../..//Windows/System32/existing_exe_to_be_replaced.exe↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection wizardLogin Authentication Bypass (CVE-2024-0799)"; flow:established,to_server; http.uri; content:"/management/wizardLogin"; fast_pattern; startswith; content:!"password|3d|"; http.method; content:"POST"; reference:url,www.tenable.com/security/research/tra-2024-07; reference:cve,2024-0799; classtype:web-application-attack; sid:2065740; rev:1; metadata:affected_product Arcserve_UDP, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_12, cve CVE_2024_0799, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit request is a POST to /management/wizardLogin with NO 'password' parameter in the body — the absence of the password field is the key bypass trigger. ↗
- →Successful authentication bypass results in an HTTP 302 redirect and Set-Cookie headers containing both 'EDGEJSESSIONID' and 'notShowWizard'. ↗
- →The Snort/ET rule detects the attack by matching POST requests to URI starting with /management/wizardLogin that do NOT contain 'password=' (URL-encoded as 'password|3d|') in the request. ↗
- →After auth bypass, chained exploitation uploads files via path traversal through the ImportNodeServlet; monitor for file writes under the UDP Management Report/Temp directory with /../ sequences traversing to system paths. ↗
- →The UDP Console listens on port 8015; monitor for unauthenticated POST requests to this port targeting /management/wizardLogin. ↗
- →Arcserve UDP Console can be fingerprinted via favicon hash 1015186617 on Shodan/FOFA for exposure assessment. ↗
- ·The bypass only triggers when the 'password' parameter is entirely absent (NULL) from the POST body — passing an empty string does NOT trigger the vulnerable code path; the null-check branch is what invokes UUID-based authentication. ↗
- ·The Snort rule (sid:2065740) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect HTTPS traffic to the UDP Console; without SSL inspection the rule will not fire on encrypted sessions.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-82qq-qr66-5pc5: An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9
ghsa_unreviewed·2024-03-13
CVE-2024-0799 [CRITICAL] CWE-287 GHSA-82qq-qr66-5pc5: An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
VulnCheck
Arcserve Unified Data Protection 9.2 and 8.1 wizardLogin Authentication Bypass
vulncheck·2024·CVSS 9.8
CVE-2024-0799 [CRITICAL] Arcserve Unified Data Protection 9.2 and 8.1 wizardLogin Authentication Bypass
Arcserve Unified Data Protection 9.2 and 8.1 wizardLogin Authentication Bypass
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
Affected: Arcserve Unified Data Protection
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://digital.nhs.uk/cyber-alerts/2024/cc-4487
Suricata
ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection wizardLogin Authentication Bypass (CVE-2024-0799)
suricata·2025-11-12·CVSS 9.8
CVE-2024-0799 [CRITICAL] ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection wizardLogin Authentication Bypass (CVE-2024-0799)
ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection wizardLogin Authentication Bypass (CVE-2024-0799)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Arcserve Unified Data Protection wizardLogin Authentication Bypass (CVE-2024-0799)"; flow:established,to_server; http.uri; content:"/management/wizardLogin"; fast_pattern; startswith; content:!"password|3d|"; http.method; content:"POST"; reference:url,www.tenable.com/security/research/tra-2024-07; reference:cve,2024-0799; classtype:web-application-attack; sid:2065740; rev:1; metadata:affected_product Arcserve_UDP, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_12, cve CVE_2024_0799, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Descripti
Nuclei
Arcserve Unified Data Protection - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-0799 [CRITICAL] Arcserve Unified Data Protection - Authentication Bypass
Arcserve Unified Data Protection - Authentication Bypass
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
Template:
id: CVE-2024-0799
info:
name: Arcserve Unified Data Protection - Authentication Bypass
author: daffainfo
severity: critical
description: |
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
impact: |
Attackers can bypass authentication, gaining unauthorized access to the system.
remediation: |
Update to the latest version of Arc
2024-03-13
Published
Exploited in the wild