Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
UDP Console provided by Arcserve contains an incorrectly specified destination in a communication channel vulnerability. When a user configures an activation server hostname of the affected product to a dummy URL, the product may unintentionally communicate with the dummy domain, causing information disclosure.
AnalysisAI
UDP Console in Arcserve allows information disclosure when an administrator configures the activation server hostname to an arbitrary or malicious URL, causing the product to unintentionally communicate with and leak data to the attacker-controlled domain. The vulnerability requires user interaction (configuring a malicious hostname) and affects all versions of Arcserve UDP Console, with CVSS 6.3 (network-accessible, low complexity) indicating moderate real-world risk. No active exploitation or public proof-of-concept has been identified at the time of analysis.
Technical ContextAI
Arcserve UDP Console is a backup and disaster recovery management platform that communicates with an activation server during product initialization. The vulnerability stems from CWE-941 (Incorrectly Specified Destination in a Communication Channel), meaning the product fails to properly validate or restrict the destination URL for activation server communications. When an administrator provides a malicious or attacker-controlled hostname during configuration, the product treats it as legitimate and establishes network connections to that domain, potentially transmitting sensitive configuration data, product metadata, or authentication tokens. The UDP protocol involvement (per product name) suggests connectionless communication that may bypass traditional firewalls if directed to arbitrary external hosts. CPE cpe:2.3:a:arcserve:udp_console:*:*:*:*:*:*:*:* indicates all UDP Console versions are affected.
RemediationAI
Arcserve has released a patch for UDP Console; administrators should consult the Arcserve support article (https://support.arcserve.com/s/article/P00003790) and JPCERT advisory (https://jvn.jp/en/jp/JVN88396700/) for exact patch versions and upgrade instructions. As an interim mitigation, administrators should verify that the activation server hostname is set to Arcserve's legitimate domain (not a user-modifiable or untrusted value) and should implement network egress controls to restrict UDP Console outbound connections to known-good Arcserve servers only, using firewall rules or network segmentation. If possible, pin the activation server URL to a hardcoded legitimate domain within product configuration rather than allowing administrator input. Network monitoring tools should alert on unexpected outbound connections from UDP Console to non-Arcserve destinations. These compensating controls trade off some operational flexibility (administrators cannot change activation servers without firewall rule updates) but significantly reduce the attack surface by preventing accidental or malicious misconfiguration.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23192
GHSA-rhf4-34xg-3v3j