cbcvebase.
CVE-2024-0800
published 2024-03-13

CVE-2024-0800: A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet…

PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.03%
59.5th percentile
A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.

Affected

4 ranges
VendorProductVersion rangeFixed in
arcserveudp
arcserveudp
arcserveunified_data_protection<= 9.2
github.comminio_minio>= 0.0.0-20220623162515-580d9db85e04 < 0.0.0-20241213221912-68b004a48f410.0.0-20241213221912-68b004a48f41

Detection & IOCsextracted from sources · hover to see the quote

url/management/wizardLogin
pathC:\Program Files\Arcserve\Unified Data Protection\Management\Report\Temp\2023_12_01__20_54_58_355\/../../../../../../../../..//Windows/System32/existing_exe_to_be_replaced.exe
port8015
filenameedge-app-base-webui.jar
commandpython3 arcserve_udp_console_wizardLogin_auth_bypass.py -t -p 8015 -f /tmp/malicious_file -s '\Windows\System32\existing_exe_to_be_replaced.exe'
  • Detect unauthenticated POST requests to /management/wizardLogin that omit the password parameter — this is the authentication bypass (CVE-2024-0799) used to chain into the path traversal upload (CVE-2024-0800).
  • Monitor file upload requests to the ImportNodeServlet endpoint for path traversal sequences (e.g., '../' or '..\') in the destination path parameter, particularly targeting paths outside the UDP Report/Temp directory.
  • Alert on file write operations originating from the Arcserve UDP Console process (running as SYSTEM) to sensitive directories such as Windows\System32, as the upload runs under the SYSTEM security context.
  • Inspect inbound traffic on TCP port 8015 for requests to /management/wizardLogin or /management/services/EdgeServiceConsoleImpl with anomalous or missing authentication parameters.
  • ·CVE-2024-0800 (path traversal file upload) requires prior authentication; in practice it is chained with CVE-2024-0799 (wizardLogin auth bypass) to achieve unauthenticated exploitation. Detection rules should account for both steps of the chain.
  • ·Affected versions are Arcserve UDP 9.2 and 8.1. Patches P00003050 (UDP 9.2) and P00003059 (UDP 8.1) are available; patched systems should no longer be vulnerable to this exploit chain.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.