CVE-2025-34520
Published: 27 August 2025
Summary
CVE-2025-34520 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Arcserve Udp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the authentication bypass by requiring timely application of vendor patches or upgrades to UDP 10.2, fixing the logic flaw.
Enforces approved authorizations for logical access, preventing unauthorized access to administrator-level features despite the bypass vulnerability.
Validates manipulated request parameters to block the logic flaw exploitation that circumvents login mechanisms.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing backup application directly enables remote exploitation for initial access without credentials.
NVD Description
An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. By manipulating specific request parameters or exploiting a logic flaw, an attacker can bypass login mechanisms without…
more
valid credentials and access administrator-level features. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.
Deeper analysisAI
CVE-2025-34520 is an authentication bypass vulnerability (CWE-288) in Arcserve Unified Data Protection (UDP), a backup and recovery solution. It stems from a logic flaw that allows attackers to manipulate specific request parameters, circumventing login mechanisms without valid credentials. This enables unauthorized access to protected functionality and administrator-level features. The vulnerability affects all UDP versions prior to 10.2, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, user interaction, or special conditions. Successful exploitation grants full administrative access, potentially allowing data exfiltration, modification of backups, or further system compromise, as reflected in the high confidentiality, integrity, and availability impacts.
The Arcserve security bulletin at https://support.arcserve.com/s/article/Important-Security-Bulletin-Must-read-for-all-Arcserve-UDP-customers-on-all-versions details mitigation: UDP 10.2 includes the necessary patches with no further action required. Supported versions 8.0 through 10.1 need either patch application or upgrade to 10.2. Versions 7.x and earlier are out of maintenance and must be upgraded to 10.2 for remediation.
Details
- CWE(s)