PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-34523 Arcserve CVE debrief

A critical heap-based buffer overflow vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated remote attackers to corrupt heap memory via crafted network input. The flaw stems from improper bounds checking in network-facing input handling routines. Successful exploitation may result in denial of service or arbitrary code execution depending on memory layout conditions. No user interaction is required. This vulnerability is related to CVE-2025-34522 but affects a distinct code path or component.

Vendor
Arcserve
Product
Unified Data Protection (UDP)
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-27
Original CVE updated
2026-05-26
Advisory published
2025-08-27
Advisory updated
2026-05-26

Who should care

Organizations operating Arcserve UDP for backup and disaster recovery infrastructure, particularly those with internet-exposed or broadly accessible management interfaces. Security teams responsible for data protection platform hardening and patch management. Incident response teams monitoring for memory corruption exploitation in backup software components.

Technical summary

The vulnerability exists in network-facing input handling routines of Arcserve UDP where improper bounds checking permits heap memory corruption through attacker-controlled input. The attack vector is network-based with high complexity, requiring no authentication or user interaction. Affected versions span all releases prior to 10.2, with specific CPE entries for 7.0, 7.0 Update 1, 7.0 Update 2, and the 8.0-10.1 range. The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) reflects high impacts across confidentiality, integrity, and availability despite attack complexity constraints. Remediation requires version 10.2 or applicable patches for supported versions.

Defensive priority

critical

Recommended defensive actions

  • Upgrade to Arcserve UDP 10.2 to remediate this vulnerability; this version includes all necessary patches and requires no additional action.
  • If running supported versions 8.0 through 10.1, apply vendor-provided patches or upgrade to version 10.2.
  • If running unsupported versions 7.x or earlier, upgrade to version 10.2 as no patches are available for out-of-maintenance releases.
  • Restrict network access to Arcserve UDP management and data protection interfaces to trusted administrative hosts only, implementing network segmentation until patching is complete.
  • Monitor for anomalous network connections to UDP services and unexpected process crashes that may indicate exploitation attempts.
  • Review related CVE-2025-34522 for similar attack patterns and ensure comprehensive coverage of affected components.

Evidence notes

CVE published 2025-08-27; modified 2026-05-26. CVSS 4.0 vector indicates network attack vector with high attack complexity, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability. CPE criteria confirm affected versions: all UDP versions prior to 10.2, including 7.0, 7.0 Update 1, 7.0 Update 2, and 8.0 through 10.1. Vendor advisory confirms UDP 10.2 contains patches; versions 8.0-10.1 require patching or upgrade; versions 7.x and earlier require upgrade to 10.2.

Official resources

2025-08-27