CVE-2025-34522
Published: 27 August 2025
Summary
CVE-2025-34522 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Arcserve Udp. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). The flaw stems from improper bounds checking during unauthenticated input handling and is tracked as CWE-122. It affects all versions prior to 10.2, with supported releases 8.0 through 10.1 requiring remediation and earlier unsupported versions needing mandatory upgrade.
An unauthenticated attacker can send specially crafted input over the network to trigger the overflow, overwriting heap memory in the affected process. Successful exploitation can produce application crashes or remote code execution without user interaction, and the CVSS 9.2 score reflects the high impact on confidentiality, integrity, and availability under these conditions.
The vendor advisory at support.arcserve.com directs customers on versions 8.0–10.1 to apply the available patches or upgrade to 10.2, while versions 7.x and earlier must be upgraded to 10.2 because they are out of maintenance. UDP 10.2 contains the fixes and requires no further action.
The associated EPSS score has remained flat at 0.0107 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26165
Vulnerability details
A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without authentication by sending specially crafted input to the target system. Improper bounds checking allows an attacker to…
more
overwrite heap memory, potentially leading to application crashes or remote code execution. Exploitation occurs in the context of the affected process and does not require user interaction. The vulnerability poses a high risk due to its pre-authentication nature and potential for full compromise. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated heap buffer overflow enabling RCE against a public-facing UDP service directly matches exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses improper bounds checking in input parsing by requiring validation and filtering of specially crafted inputs to prevent heap-based buffer overflows.
Ensures timely patching or upgrading of vulnerable Arcserve UDP versions prior to 10.2 to remediate the known heap buffer overflow flaw.
Provides memory protections such as ASLR and DEP to prevent unauthorized code execution from heap memory overwrites triggered by the vulnerability.