CVE Catalog

CVE-2025-34523

Critical
Published: Translated: NVD NIST

Summary

A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP) that can be exploited by a remote attacker without authentication. By sending specially crafted data, an attacker can corrupt heap memory, potentially leading to denial of service or arbitrary code execution.

Risk Assessment

This vulnerability poses a significant risk to organizations as it allows remote attackers to potentially take control of the system or disrupt its operation. The lack of authentication makes the attack easier to execute.

Recommendation

It is recommended to upgrade to UDP version 10.2, which includes the necessary patches. For versions 8.0 through 10.1, appropriate patches should be applied or an upgrade should be performed.

Original NVD description (English source)

A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By sending specially crafted data, a remote attacker can corrupt heap memory, potentially causing a denial of service or enabling arbitrary code execution depending on the memory layout and exploitation techniques used. This vulnerability is similar in nature to CVE-2025-34522 but affects a separate code path or component. No user interaction is required, and exploitation occurs in the context of the vulnerable process. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to

Vulnerability data from NVD (NIST) · CISA KEV · EPSS