CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2023-26258

Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.884

EPSS Ranking 99.4%

CVSS Severity

CVSS v3 Score 9.8

References

https://support.arcserve.com/s/article/KB000015720?language=en_US
https://www.arcserve.com/products/arcserve-udp
https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
https://support.arcserve.com/s/article/KB000015720?language=en_US
https://www.arcserve.com/products/arcserve-udp
https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/

Products affected by CVE-2023-26258

Arcserve » Udp » Version: N/A

cpe:2.3:a:arcserve:udp:-
Arcserve » Udp » Version: 5.0

cpe:2.3:a:arcserve:udp:5.0
Arcserve » Udp » Version: 6.0

cpe:2.3:a:arcserve:udp:6.0
Arcserve » Udp » Version: 6.5

cpe:2.3:a:arcserve:udp:6.5
Arcserve » Udp » Version: 7.0

cpe:2.3:a:arcserve:udp:7.0
Arcserve » Udp » Version: 9.0.6034

cpe:2.3:a:arcserve:udp:9.0.6034

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2023-26258

Products

Pricing

Contact Us