Latest Arcserve Unified Data Protection vulnerabilities #
Arcserve published a security bulletin for vulnerabilities that affect most versions of their Unified Data Protection (UDP) product. Successful exploitation may allow a remote, unauthenticated adversary to execute arbitrary code or perform administrator functions on affected installations. The following CVEs were designated for the vulnerabilities:
- CVE-2025-34522 has been rated critical with a CVSS score of 9.2.
- CVE-2025-34523 has been rated critical with a CVSS score of 9.2.
- CVE-2025-34520 has been rated high with a CVSS score of 7.7.
The following versions are affected
- Unified Data Protection versions 8.0 through 10.1.
- All versions prior to 8.0
What is the impact? #
Successful exploitation of CVE-2025-34522 or CVE-2025-34523 would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise. Successful exploitation of CVE-2025-34520 would allow an unauthenticated adversary to perform administrator functions, potentially compromising the integrity of a vulnerable system.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
Customers running 10.2 are unaffected
Customers running UDP version 8.0 through 10.1, should apply patches available for download from Arcserver.
Customers running older, unsupported versions UDP 7.0 and earlier are asked to upgrade to UDP 10.2.
How to find potentially vulnerable systems with runZero #
From the Service inventory, use the following query to locate potentially vulnerable assets:
_asset.protocol:http AND protocol:http AND has:html.body AND html.body:"arcserve.js" AND html.body:"Arcserve UDP"
