An authentication bypass vulnerability in the Arcserve Unified Data Protection enterprise data protection solution can be exploited to compromise admin accounts and take over vulnerable instances, MDSec researchers Juan Manuel Fernández and Sean Doherty have found – and have released a PoC exploit for it.
“At this time, Arcserve is not aware of any active attempts to exploit this vulnerability,” the company said on Tuesday, when it pushed out fixes for the flaw.
CVE-2023-26258 affects Arcserver UDP versions 7.0 to 9.0 – UDP 6.x and older versions are not affected.
The vulnerability also does not affect the Arcserve UDP Linux Agent.
“We strongly recommend all the users upgrade to UDP 9.1 – which can be done via built-in auto-update in UDP version 9 or using the 9.1 RTM build for fresh deployments and old versions,” the company advises.
According to MDSec’s disclosure timeline, it took over four months for Arcserve to confim the researchers’ findings and release patches, initially without crediting the discovery of the vulnerability to Fernández and Doherty.
