CVE-2025-34523
Published: 27 August 2025
Summary
CVE-2025-34523 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Arcserve Udp. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-34523 is a heap-based buffer overflow vulnerability in the network-facing input handling routines of Arcserve Unified Data Protection (UDP), stemming from improper bounds checking on attacker-controlled input (CWE-122). It affects all UDP versions prior to 10.2 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw is reachable without authentication and occurs in the context of the vulnerable process, with no user interaction required. It shares similarities with CVE-2025-34522 but impacts a distinct code path.
A remote attacker can exploit this vulnerability by sending specially crafted data over the network, leading to heap memory corruption. Depending on memory layout and exploitation techniques, this may result in denial of service or arbitrary code execution.
The Arcserve security bulletin at https://support.arcserve.com/s/article/Important-Security-Bulletin-Must-read-for-all-Arcserve-UDP-customers-on-all-versions states that UDP 10.2 includes the necessary patches with no further action required. Supported versions 8.0 through 10.1 require patch application or upgrade to 10.2, while unsupported versions 7.x and earlier must be upgraded to 10.2 for remediation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26166
Vulnerability details
A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By sending specially crafted data, a…
more
remote attacker can corrupt heap memory, potentially causing a denial of service or enabling arbitrary code execution depending on the memory layout and exploitation techniques used. This vulnerability is similar in nature to CVE-2025-34522 but affects a separate code path or component. No user interaction is required, and exploitation occurs in the context of the vulnerable process. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated heap buffer overflow in network-facing service directly enables exploitation of a public-facing application for RCE or DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input for proper size and bounds, which would have prevented the heap buffer overflow from attacker-controlled network data.
Requires memory protection mechanisms that can detect or block heap corruption attempts before they result in DoS or code execution.
Mandates timely installation of security-relevant patches, directly addressing the requirement to upgrade or patch UDP versions prior to 10.2.