Arcserve Zero-Day Disclosure

By Fortra's Digital Defense

Digital Defense discloses four previously undisclosed vulnerabilities within the Arcserve Unified Data Protection platform. The vulnerabilities can open the door for potential compromise of sensitive data through access to credentials, phishing attacks and the ability for a hacker to read files without authentication from the hosting system.



DDI-VRT-2018-18 - Unauthenticated Sensitive Information Disclosure via /gateway/services/EdgeServiceImpl

DDI-VRT-2018-19 - Unauthenticated XXE in /management/UdpHttpService

DDI-VRT-2018-20 - Unauthenticated Sensitive Information Disclosure via /UDPUpdates/Config/FullUpdateSettings.xml

DDI-VRT-2018-21 - Reflected Cross-site Scripting via /authenticationendpoint/domain.jsp

Vulnerability Description

Unified Data Protection (UDP) is vulnerable to two unauthenticated information disclosures and an external entity attack that could be utilized by an attacker to gain access to database and other credentials and to read files on the system hosting the UDP application without authentication. Additionally, UDP is vulnerable to reflected cross-site scripting (XSS) which could be utilized for phishing purposes.

Solution Description

Arcserve has provided fixes. A patch is available for download from Arcserve for hosts running UDP Console at:

For the standalone gateway, manual fix application instructions are provided at:

Affected Systems / Software (with versions)

Arcserve UDP 6.5 update 4

Vendor Contact


Featured Resources

Share This