External risk intelligence

Arcserve UDP allows remote attackers to execute code or cause service disruption

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2025-34523

A critical flaw in Arcserve UDP allows unauthenticated attackers to crash the service or possibly run their own code remotely, affecting data protection operations. Address this now to prevent disruption.

2Halo Surface Signal

Buffer Overflow

Arcserve Udp

before 7.08.0 to before 10.27.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-34523

Arcserve Unified Data Protection is an enterprise backup and disaster recovery solution typically deployed on internal networks. While it utilizes network-facing listeners and ports for management and replication, direct exposure to the public internet is uncommon and usually restricted behind corporate firewalls or internal network controls.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A serious flaw in Arcserve Unified Data Protection (UDP) could allow an unauthenticated attacker to cause a denial of service or potentially execute code. This happens when specially crafted network data corrupts memory, impacting the software's ability to function. It's crucial to address this because it can be exploited remotely without any user interaction.

  • Remote attackers can exploit this without authentication.
  • It can lead to service disruption.
  • Code execution is a possibility.

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker can exploit this heap buffer overflow by sending specially crafted network data to an Arcserve UDP instance. This can lead to memory corruption, potentially allowing the attacker to execute arbitrary code within the context of the UDP service.

  • Exploitable remotely.
  • No authentication required.
  • Targets network input routines.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Arcserve UDP presents a moderate threat. While it is reachable remotely and without authentication, its impact is mitigated by the fact that Arcserve UDP is generally deployed in internal environments, not directly exposed to the public internet. Attackers would likely need a pre-existing foothold within the network to exploit it effectively.

  • Exploitation requires internal network access.
  • No public exploit code is available.
  • Recent vulnerability, limited actor observation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching or upgrading Arcserve UDP to version 10.2 to address the critical heap-based buffer overflow vulnerability. If immediate patching is not feasible, isolate affected services to prevent potential exploitation and widespread impact, as this vulnerability is remotely exploitable without authentication and could lead to code execution.

  • Upgrade to UDP 10.2 or apply patches.
  • Isolate affected UDP systems from the network.
  • Monitor for signs of compromise.

Frequently asked questions

What is Arcserve Unified Data Protection (UDP)?

Arcserve Unified Data Protection (UDP) is a software solution used for backup and disaster recovery. It helps organizations protect their data and ensure business continuity by creating copies of data and enabling quick restoration in case of hardware failure, cyberattacks, or other disasters.

How does CVE-2025-34523 threaten Arcserve UDP?

CVE-2025-34523 is a heap-based buffer overflow vulnerability. This weakness occurs when the software doesn't properly check the size of data it receives, allowing an attacker to send overly large amounts of data. This can overwrite important memory, leading to a denial of service or potentially allowing an attacker to run their own code.

What are the attacker's preconditions to exploit CVE-2025-34523?

An attacker needs to send specially crafted network data to the Arcserve UDP software. No authentication is required, and the vulnerability can be triggered remotely. However, the Halo Surface Signal indicates that Arcserve UDP is typically deployed on internal networks, suggesting an attacker might need prior access to that internal network.

Who should be concerned about this Arcserve UDP vulnerability?

Any organization using Arcserve Unified Data Protection versions prior to 10.2 should be concerned. Since the software is generally used internally and not directly exposed to the internet, an attacker would likely need to be on the internal network to exploit this flaw effectively.

What is the first step to respond to this CVE?

The primary action is to upgrade Arcserve UDP to version 10.2, which includes the necessary patches to fix this vulnerability. If an immediate upgrade is not possible, isolating the affected UDP systems from the network is a recommended interim measure to prevent exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified