Skip to main content

Udp Console CVE-2026-40118

| EUVDEUVD-2026-23192 MEDIUM
Incorrectly Specified Destination in a Communication Channel (CWE-941)
2026-04-16 jpcert GHSA-rhf4-34xg-3v3j
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 16, 2026 - 05:35 NVD
6.3 (MEDIUM) 5.1 (MEDIUM)
Analysis Generated
Apr 16, 2026 - 05:17 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 05:00 euvd
EUVD-2026-23192
Analysis Generated
Apr 16, 2026 - 05:00 vuln.today
CVE Published
Apr 16, 2026 - 04:19 nvd
MEDIUM 5.1

DescriptionCVE.org

UDP Console provided by Arcserve contains an incorrectly specified destination in a communication channel vulnerability. When a user configures an activation server hostname of the affected product to a dummy URL, the product may unintentionally communicate with the dummy domain, causing information disclosure.

AnalysisAI

UDP Console in Arcserve allows information disclosure when an administrator configures the activation server hostname to an arbitrary or malicious URL, causing the product to unintentionally communicate with and leak data to the attacker-controlled domain. The vulnerability requires user interaction (configuring a malicious hostname) and affects all versions of Arcserve UDP Console, with CVSS 6.3 (network-accessible, low complexity) indicating moderate real-world risk. No active exploitation or public proof-of-concept has been identified at the time of analysis.

Technical ContextAI

Arcserve UDP Console is a backup and disaster recovery management platform that communicates with an activation server during product initialization. The vulnerability stems from CWE-941 (Incorrectly Specified Destination in a Communication Channel), meaning the product fails to properly validate or restrict the destination URL for activation server communications. When an administrator provides a malicious or attacker-controlled hostname during configuration, the product treats it as legitimate and establishes network connections to that domain, potentially transmitting sensitive configuration data, product metadata, or authentication tokens. The UDP protocol involvement (per product name) suggests connectionless communication that may bypass traditional firewalls if directed to arbitrary external hosts. CPE cpe:2.3:a:arcserve:udp_console:*:*:*:*:*:*:*:* indicates all UDP Console versions are affected.

RemediationAI

Arcserve has released a patch for UDP Console; administrators should consult the Arcserve support article (https://support.arcserve.com/s/article/P00003790) and JPCERT advisory (https://jvn.jp/en/jp/JVN88396700/) for exact patch versions and upgrade instructions. As an interim mitigation, administrators should verify that the activation server hostname is set to Arcserve's legitimate domain (not a user-modifiable or untrusted value) and should implement network egress controls to restrict UDP Console outbound connections to known-good Arcserve servers only, using firewall rules or network segmentation. If possible, pin the activation server URL to a hardcoded legitimate domain within product configuration rather than allowing administrator input. Network monitoring tools should alert on unexpected outbound connections from UDP Console to non-Arcserve destinations. These compensating controls trade off some operational flexibility (administrators cannot change activation servers without firewall rule updates) but significantly reduce the attack surface by preventing accidental or malicious misconfiguration.

Share

CVE-2026-40118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy