Arcserve
Products
6- 11 CVEs
- 7 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
22| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-4068 | Cri | 0.76 | 9.1 | 0.64 | KEV | May 29, 2015 | Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet. | |
| CVE-2025-34523 | Cri | 0.64 | 9.8 | 0.01 | Aug 27, 2025 | A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By… | ||
| CVE-2026-40118 | Med | 0.41 | 6.3 | 0.00 | Apr 16, 2026 | UDP Console provided by Arcserve contains an incorrectly specified destination in a communication channel vulnerability. When a user configures an activation server hostname of the affected product to a dummy URL, the product may unintentionally communicate with the dummy… | ||
| CVE-2023-26258 | 0.06 | — | 0.38 | Jul 3, 2023 | Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be… | |||
| CVE-2024-0801 | 0.04 | — | 0.42 | Mar 13, 2024 | A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll. | |||
| CVE-2024-0799 | 0.03 | — | 0.04 | Mar 13, 2024 | An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin. | |||
| CVE-2023-41998 | 0.01 | — | 0.15 | Nov 27, 2023 | Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an attacker to upload and execute arbitrary files. | |||
| CVE-2025-34520 | 0.00 | — | 0.00 | Aug 27, 2025 | An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. By manipulating specific request parameters or exploiting a logic flaw, an attacker can… | |||
| CVE-2025-34521 | 0.00 | — | 0.00 | Aug 27, 2025 | A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links… | |||
| CVE-2025-34522 | 0.00 | — | 0.01 | Aug 27, 2025 | A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without authentication by sending specially crafted input to the target system. Improper bounds checking allows an attacker to… | |||
| CVE-2024-0800 | 0.00 | — | 0.01 | Mar 13, 2024 | A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet. | |||
| CVE-2023-42000 | 0.00 | — | 0.01 | Nov 27, 2023 | Arcserve UDP prior to 9.2 contains a path traversal vulnerability in com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload(). An unauthenticated remote attacker can exploit it to upload arbitrary files to any location on the file system where the UDP agent is installed. | |||
| CVE-2023-41999 | 0.00 | — | 0.01 | Nov 27, 2023 | An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication. | |||
| CVE-2023-27247 | 0.00 | — | 0.00 | Mar 28, 2023 | Cynet Client Agent v4.6.0.8010 allows attackers with Administrator rights to disable the EDR functions by disabling process privilege tokens. | |||
| CVE-2019-20456 | 0.00 | — | 0.01 | Feb 16, 2020 | Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, and Goverlan Client Agent before 9.20.50 have an Untrusted Search Path that leads to Command Injection and Local Privilege Escalation via DLL hijacking. | |||
| CVE-2018-18658 | 0.00 | — | 0.01 | Oct 26, 2018 | An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-20 Unauthenticated Sensitive Information Disclosure via /UDPUpdates/Config/FullUpdateSettings.xml issue. | |||
| CVE-2018-18660 | 0.00 | — | 0.01 | Oct 26, 2018 | An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-21 Reflected Cross-site Scripting via /authenticationendpoint/domain.jsp issue. | |||
| CVE-2018-18657 | 0.00 | — | 0.01 | Oct 26, 2018 | An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-18 Unauthenticated Sensitive Information Disclosure via /gateway/services/EdgeServiceImpl issue. | |||
| CVE-2018-18659 | 0.00 | — | 0.02 | Oct 26, 2018 | An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue. | |||
| CVE-2015-4069 | 0.00 | — | 0.04 | May 29, 2015 | The EdgeServiceImpl web service in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive credentials via a crafted SOAP request to the (1) getBackupPolicy or (2) getBackupPolicies method. |
- risk 0.76cvss 9.1epss 0.64
Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet.
- risk 0.64cvss 9.8epss 0.01
A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By…
- risk 0.41cvss 6.3epss 0.00
UDP Console provided by Arcserve contains an incorrectly specified destination in a communication channel vulnerability. When a user configures an activation server hostname of the affected product to a dummy URL, the product may unintentionally communicate with the dummy…
- CVE-2023-26258Jul 3, 2023risk 0.06cvss —epss 0.38
Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be…
- CVE-2024-0801Mar 13, 2024risk 0.04cvss —epss 0.42
A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
- CVE-2024-0799Mar 13, 2024risk 0.03cvss —epss 0.04
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
- CVE-2023-41998Nov 27, 2023risk 0.01cvss —epss 0.15
Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an attacker to upload and execute arbitrary files.
- CVE-2025-34520Aug 27, 2025risk 0.00cvss —epss 0.00
An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. By manipulating specific request parameters or exploiting a logic flaw, an attacker can…
- CVE-2025-34521Aug 27, 2025risk 0.00cvss —epss 0.00
A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links…
- CVE-2025-34522Aug 27, 2025risk 0.00cvss —epss 0.01
A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without authentication by sending specially crafted input to the target system. Improper bounds checking allows an attacker to…
- CVE-2024-0800Mar 13, 2024risk 0.00cvss —epss 0.01
A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.
- CVE-2023-42000Nov 27, 2023risk 0.00cvss —epss 0.01
Arcserve UDP prior to 9.2 contains a path traversal vulnerability in com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload(). An unauthenticated remote attacker can exploit it to upload arbitrary files to any location on the file system where the UDP agent is installed.
- CVE-2023-41999Nov 27, 2023risk 0.00cvss —epss 0.01
An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication.
- CVE-2023-27247Mar 28, 2023risk 0.00cvss —epss 0.00
Cynet Client Agent v4.6.0.8010 allows attackers with Administrator rights to disable the EDR functions by disabling process privilege tokens.
- CVE-2019-20456Feb 16, 2020risk 0.00cvss —epss 0.01
Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, and Goverlan Client Agent before 9.20.50 have an Untrusted Search Path that leads to Command Injection and Local Privilege Escalation via DLL hijacking.
- CVE-2018-18658Oct 26, 2018risk 0.00cvss —epss 0.01
An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-20 Unauthenticated Sensitive Information Disclosure via /UDPUpdates/Config/FullUpdateSettings.xml issue.
- CVE-2018-18660Oct 26, 2018risk 0.00cvss —epss 0.01
An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-21 Reflected Cross-site Scripting via /authenticationendpoint/domain.jsp issue.
- CVE-2018-18657Oct 26, 2018risk 0.00cvss —epss 0.01
An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-18 Unauthenticated Sensitive Information Disclosure via /gateway/services/EdgeServiceImpl issue.
- CVE-2018-18659Oct 26, 2018risk 0.00cvss —epss 0.02
An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue.
- CVE-2015-4069May 29, 2015risk 0.00cvss —epss 0.04
The EdgeServiceImpl web service in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive credentials via a crafted SOAP request to the (1) getBackupPolicy or (2) getBackupPolicies method.