cbcvebase.

Arcserve Udp vulnerabilities

16 known vulnerabilities affecting arcserve/udp.

Total CVEs
16
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
5
Severity breakdown
CRITICAL9HIGH5MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2015-4068P1CRITICALCVSS 9.1KEVfixed in 5.0v5.02015-05-29
CVE-2015-4068 [CRITICAL] CWE-22 CVE-2015-4068: Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obt Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet.
nvd
CVE-2023-26258P1CRITICALCVSS 9.8ExploitedPoC≤ 9.0.60342023-07-03
CVE-2023-26258 [CRITICAL] CWE-863 CVE-2023-26258: Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceI Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
nvd
CVE-2024-0799P1CRITICALCVSS 9.8ExploitedPoCv8.1v9.22024-03-13
CVE-2024-0799 [CRITICAL] CWE-287 CVE-2024-0799: An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
nvd
CVE-2024-0801P2HIGHCVSS 7.5ExploitedPoCv8.1v9.22024-03-13
CVE-2024-0801 [HIGH] CWE-75 CVE-2024-0801: A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
nvd
CVE-2024-0800P2HIGHCVSS 8.8Exploitedv8.1v9.22024-03-13
CVE-2024-0800 [HIGH] CWE-434 CVE-2024-0800: A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-ba A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.
nvd
CVE-2023-41998P2CRITICALCVSS 9.8fixed in 9.22023-11-27
CVE-2023-41998 [CRITICAL] CWE-434 CVE-2023-41998: Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an attacker to upload and execute arbitrary files.
nvd
CVE-2023-41999P2CRITICALCVSS 9.8fixed in 9.22023-11-27
CVE-2023-41999 [CRITICAL] CWE-287 CVE-2023-41999: An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote att An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication.
nvd
CVE-2025-34520P2CRITICALCVSS 9.8fixed in 7.0≥ 8.0, < 10.2+1 more2025-08-27
CVE-2025-34520 [CRITICAL] CWE-288 CVE-2025-34520: An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthentica An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. By manipulating specific request parameters or exploiting a logic flaw, an attacker can bypass login mechanisms without valid credentials and access administrator
nvd
CVE-2023-42000P2CRITICALCVSS 9.8fixed in 9.22023-11-27
CVE-2023-42000 [CRITICAL] CWE-22 CVE-2023-42000: Arcserve UDP prior to 9.2 contains a path traversal vulnerability in com.ca.arcflash.ui.server.servl Arcserve UDP prior to 9.2 contains a path traversal vulnerability in com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload(). An unauthenticated remote attacker can exploit it to upload arbitrary files to any location on the file system where the UDP agent is installed.
nvd
CVE-2025-34522P2CRITICALCVSS 9.8fixed in 7.0≥ 8.0, < 10.2+1 more2025-08-27
CVE-2025-34522 [CRITICAL] CWE-122 CVE-2025-34522: A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Dat A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without authentication by sending specially crafted input to the target system. Improper bounds checking allows an attacker to overwrite heap memory, potentially leading to application crashes or remote
nvd
CVE-2025-34523P2CRITICALCVSS 9.8fixed in 7.0≥ 8.0, < 10.2+1 more2025-08-27
CVE-2025-34523 [CRITICAL] CVE-2025-34523: A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of A A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By sending specially crafted data, a remote attacker can corrupt heap memory, potential
nvd
CVE-2018-18659P3HIGHCVSS 7.5v6.0v6.52018-10-26
CVE-2018-18659 [HIGH] CWE-611 CVE-2018-18659: An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a D An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue.
nvd
CVE-2018-18658P3HIGHCVSS 7.5v6.0v6.52018-10-26
CVE-2018-18658 [HIGH] CWE-200 CVE-2018-18658: An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a D An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-20 Unauthenticated Sensitive Information Disclosure via /UDPUpdates/Config/FullUpdateSettings.xml issue.
nvd
CVE-2018-18657P3HIGHCVSS 7.5v6.0v6.52018-10-26
CVE-2018-18657 [HIGH] CWE-200 CVE-2018-18657: An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a D An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-18 Unauthenticated Sensitive Information Disclosure via /gateway/services/EdgeServiceImpl issue.
nvd
CVE-2025-34521P4MEDIUMCVSS 5.4fixed in 7.0≥ 8.0, < 10.2+1 more2025-08-27
CVE-2025-34521 [MEDIUM] CWE-79 CVE-2025-34521: A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the Arcserve Uni A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links that, when visited by another user, execute arbitrary JavaScript in the v
nvd
CVE-2018-18660P4MEDIUMCVSS 6.1fixed in 6.5v6.52018-10-26
CVE-2018-18660 [MEDIUM] CWE-79 CVE-2018-18660: An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a D An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-21 Reflected Cross-site Scripting via /authenticationendpoint/domain.jsp issue.
nvd
Arcserve Udp vulnerabilities | cvebase