Arcserve Unified Data Protection reports three critical issues, exploit PoCs released

published: Nov. 29, 2023

Take action: Upgrading a backup server is never an easy task, even with auto-update. Definitely first confirm that the server is isolated from internet access, and then plan for an update. Because a hacker will eventually arrive inside the network.


Learn More

Security researchers recently released Proof of Concepts (PoCs) for critical security vulnerabilities in Arcserve's Unified Data Protection (UDP) solution, following Arcserve's fixes for these flaws. The vulnerabilities, tracked as CVE-2023-41998, CVE-2023-41999, and CVE-2023-42000 (all three have CVSS3 scopre 9.8) pose significant risks to the product.

Arcserve Unified Data Protection (UDP) is an advanced data protection, backup, and disaster recovery solution primarily designed for enterprise environments

  • CVE-2023-41998 is found in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface of Arcserve UDP, allowing an unauthenticated, remote attacker to upload and execute arbitrary files and code remotely through the downloadAndInstallPath() routine.
  • CVE-2023-41999, located in the solution's management console, could enable an unauthenticated remote attacker to acquire a valid authentication UUID to log into the console and potentially access administrative credentials.
  • CVE-2023-42000 is a path traversal issue that may permit unauthenticated remote attackers to upload files to any location on the file system where the UDP agent is installed.

These vulnerabilities are present in versions of Arcserve UDP prior to v9.2. Arcserve is urging users to upgrade to UDP 9.2, which can be done through the auto-update feature or by downloading the 9.2 RTM build. Additionally, manual patches for older supported versions of Arcserve UDP (9.1, 8.1, and 7.0 Update 2) are available, but these patches must be applied individually to each node.

Arcserve Unified Data Protection reports three critical issues, exploit PoCs released