PoC for critical Arcserve UDP vulnerabilities published (CVE-2024-0799, CVE-2024-0800)

Arcserve has fixed critical security vulnerabilities (CVE-2024-0799, CVE-2024-0800) in its Unified Data Protection (UDP) solution that can be chained to upload malicious files to the underlying Windows system.

Tenable researchers have published a PoC exploit script demonstrating the attack, as well as one for triggering a third flaw (CVE-2024-0801) that can lead to denial of service.

About the vulnerabilities (CVE-2024-0799, CVE-2024-0800, CVE-2024-0801)

Arcserve UDP is a widely used enterprise backup and disaster recovery solution, as well as

The three vulnerabilities affect the UDP Console:

CVE-2024-0799 is a authentication bypass vulnerability that can be exploited by an unauthenticated remote attacker by sending a POST HTTP message without the password parameter to endpoint /management/wizardLogin.

“Once authenticated, the attacker can perform UDP Console tasks that require authentication,” Tenable researchers explained.

CVE-2024-0800 is a path traversal vulnerability that can be used by authenticated attackers to “upload arbitrary files to any directory on the file system where the UDP Console is installed.”

If CVE-2024-0800 is combined with CVE-2024-0799 – as in Tenable’s PoC – an attacker can upload (potentially malicious) files without prior authentication. “The upload operation is carried out under the security context of SYSTEM,” the researchers noted.

Finally, CVE-2024-0801 can allow unauthenticated attackers to trigger a termination of the software process.

Fixes are available

The vulnerabilities have been fixed via security patches for Arcserve UDP versions 9.2 and 8.1. Users are advised to implement them on every machine using the UDP console.