all InfoSec news
Arcserve Unified Data Protection Multiple Vulnerabilities
Tenable Research Advisories www.tenable.com
CVE-2023-41998 - Arcserve UDP Unauthenticated RCE
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
An unauthenticated, remote attacker can execute code remotely via the downloadAndInstallPath() routine within “com.ca.arcflash.rps.webservice.RPSService4CPMImpl.” This routine allows users to upload and execute arbitrary files.
For example, when triggering this method, a malicious actor can cause the service to download a zip file from an attacker-controlled URL to \Engine\BIN\patch\. The zip file is subsequently decompressed and a decompressed EXE file with the same file name as the zip …
actor arbitrary files arcserve arcserve udp attacker code cve cvss data data protection download files malicious protection rce rps service udp unauthenticated upload vulnerabilities zip