Cyber Resilience

CVE-2025-34522

Critical

Published: 27 August 2025

Published
27 August 2025
Modified
09 September 2025
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0107 78.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34522 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Arcserve Udp. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). The flaw stems from improper bounds checking during unauthenticated input handling and is tracked as CWE-122. It affects all versions prior to 10.2, with supported releases 8.0 through 10.1 requiring remediation and earlier unsupported versions needing mandatory upgrade.

An unauthenticated attacker can send specially crafted input over the network to trigger the overflow, overwriting heap memory in the affected process. Successful exploitation can produce application crashes or remote code execution without user interaction, and the CVSS 9.2 score reflects the high impact on confidentiality, integrity, and availability under these conditions.

The vendor advisory at support.arcserve.com directs customers on versions 8.0–10.1 to apply the available patches or upgrade to 10.2, while versions 7.x and earlier must be upgraded to 10.2 because they are out of maintenance. UDP 10.2 contains the fixes and requires no further action.

The associated EPSS score has remained flat at 0.0107 with no material increase since disclosure.

EU & UK References

Vulnerability details

A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without authentication by sending specially crafted input to the target system. Improper bounds checking allows an attacker to…

more

overwrite heap memory, potentially leading to application crashes or remote code execution. Exploitation occurs in the context of the affected process and does not require user interaction. The vulnerability poses a high risk due to its pre-authentication nature and potential for full compromise. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated heap buffer overflow enabling RCE against a public-facing UDP service directly matches exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-34523Same product: Arcserve Udp
CVE-2025-34520Same product: Arcserve Udp
CVE-2026-23827Shared CWE-122
CVE-2026-45584Shared CWE-122
CVE-2026-8175Shared CWE-122
CVE-2026-32945Shared CWE-122
CVE-2026-20766Shared CWE-122
CVE-2026-4395Shared CWE-122
CVE-2025-67268Shared CWE-122
CVE-2026-22697Shared CWE-122

Affected Assets

arcserve
udp
7.0 · ≤ 7.0 · 8.0 — 10.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses improper bounds checking in input parsing by requiring validation and filtering of specially crafted inputs to prevent heap-based buffer overflows.

prevent

Ensures timely patching or upgrading of vulnerable Arcserve UDP versions prior to 10.2 to remediate the known heap buffer overflow flaw.

prevent

Provides memory protections such as ASLR and DEP to prevent unauthorized code execution from heap memory overwrites triggered by the vulnerability.

References