CVE-2025-34522
Published: 27 August 2025
Summary
CVE-2025-34522 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Arcserve Udp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses improper bounds checking in input parsing by requiring validation and filtering of specially crafted inputs to prevent heap-based buffer overflows.
Ensures timely patching or upgrading of vulnerable Arcserve UDP versions prior to 10.2 to remediate the known heap buffer overflow flaw.
Provides memory protections such as ASLR and DEP to prevent unauthorized code execution from heap memory overwrites triggered by the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated heap buffer overflow enabling RCE against a public-facing UDP service directly matches exploitation of public-facing applications.
NVD Description
A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without authentication by sending specially crafted input to the target system. Improper bounds checking allows an attacker to…
more
overwrite heap memory, potentially leading to application crashes or remote code execution. Exploitation occurs in the context of the affected process and does not require user interaction. The vulnerability poses a high risk due to its pre-authentication nature and potential for full compromise. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.
Deeper analysisAI
CVE-2025-34522 is a heap-based buffer overflow vulnerability (CWE-122) in the input parsing logic of Arcserve Unified Data Protection (UDP). The flaw stems from improper bounds checking, enabling heap memory overwrite when processing specially crafted input. It affects all UDP versions prior to 10.2.
The vulnerability is exploitable remotely without authentication, privileges, or user interaction, requiring only low attack complexity (CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, base score 9.8). An attacker can send crafted input to trigger the issue, potentially causing application crashes or remote code execution in the context of the affected process, with a high risk of full compromise.
The Arcserve security bulletin states that UDP 10.2 includes the necessary patches, requiring no further action. Supported versions 8.0 through 10.1 need either patch application or upgrade to 10.2, while unsupported versions 7.x and earlier must be upgraded to 10.2 for remediation. Details are available at https://support.arcserve.com/s/article/Important-Security-Bulletin-Must-read-for-all-Arcserve-UDP-customers-on-all-versions.
Details
- CWE(s)