CVE-2023-26258

Name of the Vulnerable Software and Affected Versions Arcserve UDP versions 7.0 through 9.0.6034

Description The issue allows authentication bypass, enabling an attacker to obtain a valid session and execute tasks as an administrator. This is achieved by exploiting the getVersionInfo method at WebServiceImpl/services/FlashServiceImpl, which leaks the AuthUUID token. The token can then be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to gain administrative access. The vulnerability may be exploited by sending a specially crafted HTTP request, potentially allowing an attacker to elevate privileges and execute arbitrary code. It is estimated that 235,000 clients in 150 countries use the affected software, which could be targeted in ransomware attacks to delete data, including backups.

Recommendations For Arcserve UDP versions 7.0 through 9.0.6034, update to version 9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the WebServiceImpl/services/FlashServiceImpl and /WebServiceImpl/services/VirtualStandbyServiceImpl endpoints until a patch is available. Avoid using the AuthUUID token in the affected API endpoints until the issue is resolved.