Overview

CVE: CVE-2025-34520, CVE-2025-34521, CVE-2025-34522, CVE-2025-34523
Severity: High
Date: 21August 2025

Arcserve has disclosed four security vulnerabilities in Arcserve UDP affecting all versions prior to 10.2. These include authentication bypass, cross-site scripting, and two pre-authentication heap overflow flaws that could enable remote code execution. The vulnerabilities were reported by WatchTowr Labs and have been fully addressed in Arcserve UDP 10.2.

 

Affected Versions

  • UDP 10.2: Patched — no action required
  • UDP 8.0 to 10.1: Vulnerable — patches available
  • UDP 7.x and earlier: Unsupported — upgrade to 10.2 required

 

Vulnerability Breakdown

CVE-2025-34520 — Authentication Bypass

  • Description: Unauthenticated attackers can manipulate request parameters or logic flaws to bypass login mechanisms and access administrative functions.
  • Severity: High
  • CVSS Score: 7.5


CVE-2025-34521 — Reflected Cross-Site Scripting (XSS)

  • Description: Unsanitised input reflected in server responses allows attackers to inject arbitrary JavaScript. May result in session hijacking, credential theft, or other client-side attacks.
  • Severity: Medium
  • CVSS Score: 5.4

 

CVE-2025-34522 — Pre-Authentication Heap Overflow 

  • Description: Heap-based buffer overflow triggered before authentication via crafted input. May lead to memory corruption or remote code execution.
  • Severity: High

 

CVE-2025-34523 — Pre-Authentication Heap Overflow 

  • Description: A distinct heap overflow due to improper bounds checking. Can lead to denial of service or arbitrary code execution.
  • Severity: High

 

Mitigation

  • Upgrade to Arcserve UDP 10.2, released 23 July 2025.
  • For UDP 8.x – 10.1: Apply patches via Arcserve
  • For UDP 7.x or earlier: Upgrade is mandatory as these versions are no longer supported.
  • Maintenance lapsed? Contact Arcserve Sales to reactivate access to security updates.

Summary for IT Teams

  • Products: Arcserve UDP (8.0–10.1)
  • Threat Level: High
  • Action Required:
    • Patch or upgrade to UDP 10.2 immediately
    • Decommission unsupported versions
    • Monitor for suspicious admin activity and memory access patterns
    • Audit web interfaces and input validation practices

 

References

 

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.