CVE-2023-41998

Name of the Vulnerable Software and Affected Versions Arcserve UDP versions prior to 9.2

Description The issue allows an attacker to upload and execute arbitrary files. This can be achieved through the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface, specifically via a routine that enables file upload and execution. An unauthenticated remote threat actor can exploit this issue to upload and execute malicious files using the downloadAndInstallPatch() routine.

Recommendations For Arcserve UDP versions prior to 9.2, update to version 9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface and the downloadAndInstallPatch() routine to minimize the risk of exploitation.