Malware, Phishing, Vulnerability Management

Four zero-days found, patched in Arcserve UDP platform


Digital Defense VRT has revealed for zero-day vulnerabilities in Arcserve Unified Data Protection platform.


The issues found were an unauthenticated sensitive Information disclosure via /gateway/services/EdgeServiceImpl, an unauthenticated XXE in /management/UdpHttpService, an unauthenticated sensitive information disclosure via /UDPUpdates/Config/FullUpdateSettings.xml and a Reflected cross-site scripting flaw via /authenticationendpoint/domain.jsp.

The two unauthenticated information disclosures and the external entity attack could be utilized by an attacker to gain access to a database and other credentials and to read files on the system hosting the UDP application without authentication. The reflected cross-site scripting issue could be utilized for phishing purposes, Digital Defense reported.

Arcserve has fixed the issues and the patch needed to update a system is available from Arcserve support.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.