Aggregates CVE and security vulnerability intelligence across all arcserve-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk path handling, vendor risk cross-site scripting, vendor risk xxe, and vendor risk buffer overflow and related problems; some flaws may lead to vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-34523 | A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By sending specially crafted data, a remote attacker can corrupt heap memory, potentially causing a denial of service or enabling arbitrary code execution depending on the memory layout and exploitation techniques used. This vulne | [email protected] | 9.2 | 0.48% | 2025-08-27 | 2026-05-26 |
| CVE-2025-34522 | A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without authentication by sending specially crafted input to the target system. Improper bounds checking allows an attacker to overwrite heap memory, potentially leading to application crashes or remote code execution. Exploitation occurs in the context of the affected process and does not require user interaction. The vulnerability poses a high risk | [email protected] | 9.2 | 1.07% | 2025-08-27 | 2025-09-09 |
| CVE-2025-34521 | A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links that, when visited by another user, execute arbitrary JavaScript in the victim’s browser. Successful exploitation may lead to session hijacking, credential theft, or other client-side impacts. The vulnerability requires u | [email protected] | 4.8 | 0.03% | 2025-08-27 | 2025-09-09 |
| CVE-2025-34520 | An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. By manipulating specific request parameters or exploiting a logic flaw, an attacker can bypass login mechanisms without valid credentials and access administrator-level features. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8. | [email protected] | 7.7 | 0.27% | 2025-08-27 | 2025-09-09 |
| CVE-2024-0801 | A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll. | [email protected] | 7.5 | 49.21% | 2024-03-13 | 2025-10-14 |
| CVE-2024-0800 | A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet. | [email protected] | 8.8 | 0.26% | 2024-03-13 | 2025-10-14 |
| CVE-2024-0799 | An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin. | [email protected] | 9.8 | 37.88% | 2024-03-13 | 2025-10-14 |
| CVE-2023-42000 | Arcserve UDP prior to 9.2 contains a path traversal vulnerability in com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload(). An unauthenticated remote attacker can exploit it to upload arbitrary files to any location on the file system where the UDP agent is installed. | [email protected] | 9.8 | 1.24% | 2023-11-27 | 2024-11-21 |
| CVE-2023-41999 | An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication. | [email protected] | 9.8 | 0.14% | 2023-11-27 | 2024-11-21 |
| CVE-2023-41998 | Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an attacker to upload and execute arbitrary files. | [email protected] | 9.8 | 15.29% | 2023-11-27 | 2024-11-21 |
| CVE-2023-26258 | Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator. | [email protected] | 9.8 | 80.77% | 2023-07-03 | 2024-11-21 |
| CVE-2020-27858 | This vulnerability allows remote attackers to disclose sensitive information on affected installations of CA Arcserve D2D 16.5. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getNews method. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage | [email protected] | 7.5 | 23.36% | 2021-01-20 | 2024-11-21 |
| CVE-2018-18660 | An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-21 Reflected Cross-site Scripting via /authenticationendpoint/domain.jsp issue. | [email protected] | 6.1 | 0.33% | 2018-10-26 | 2024-11-21 |
| CVE-2018-18659 | An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue. | [email protected] | 7.5 | 0.33% | 2018-10-26 | 2024-11-21 |
| CVE-2018-18658 | An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-20 Unauthenticated Sensitive Information Disclosure via /UDPUpdates/Config/FullUpdateSettings.xml issue. | [email protected] | 7.5 | 0.35% | 2018-10-26 | 2024-11-21 |
| CVE-2018-18657 | An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-18 Unauthenticated Sensitive Information Disclosure via /gateway/services/EdgeServiceImpl issue. | [email protected] | 7.5 | 0.35% | 2018-10-26 | 2024-11-21 |
| CVE-2015-4069 | The EdgeServiceImpl web service in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive credentials via a crafted SOAP request to the (1) getBackupPolicy or (2) getBackupPolicies method. | [email protected] | 7.8 | 0.60% | 2015-05-29 | 2026-05-06 |
| CVE-2015-4068 KEV | Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet. | [email protected] | 9.1 | 80.42% | 2015-05-29 | 2026-04-21 |
| CVE-2006-6641 | Unspecified vulnerability in CA CleverPath Portal before maintenance version 4.71.001_179_060830, as used in multiple products including BrightStor Portal r11.1, CleverPath Aion BPM r10 through r10.2, eTrust Security Command Center r1 and r8, and Unicenter, does not properly handle when multiple Portal servers are started at the same time and share the same data store, which might cause a Portal user to inherit the session and credentials of a user who is on another Portal server. | [email protected] | 7.5 | 1.19% | 2006-12-20 | 2026-04-23 |