Arcserve Unified Data Protection Heap-Based Buffer Overflow Vulnerability Allowing Arbitrary Code Execution

A heap-based buffer overflow vulnerability has been identified in the network-facing input handling routines of Arcserve Unified Data Protection (UDP) versions prior to 10.2. This vulnerability, which can be exploited without authentication, arises from inadequate bounds checking when processing attacker-controlled input. As a result, a remote attacker can manipulate data to corrupt heap memory, potentially leading to a denial-of-service condition or allowing arbitrary code execution, depending on the memory layout and exploitation techniques employed. This vulnerability is similar to CVE-2025-34522 but affects a different code path or component.

Impact

Exploitation of this vulnerability can cause a heap-based buffer overflow, leading to memory corruption. This could result in a denial-of-service condition or allow for arbitrary code execution in the context of the vulnerable process.

Remediation

Users can upgrade to Arcserve UDP 10.2, which includes the necessary patches. For those using versions 8.0 through 10.1, patches are available and can be applied. Customers on unsupported versions (UDP 7.x and earlier) should urgently upgrade to UDP 10.2.