CVE-2025-34523
Published: 27 August 2025
Summary
CVE-2025-34523 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Arcserve Udp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of software flaws like this heap-based buffer overflow through patching or upgrading to UDP 10.2.
SI-10 mandates validation of incoming information from external network interfaces, directly countering the improper bounds checking on attacker-controlled input.
SI-16 enforces memory protections such as ASLR and non-executable heap memory, mitigating heap corruption and potential arbitrary code execution from the overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated heap buffer overflow in network-facing service directly enables exploitation of a public-facing application for RCE or DoS.
NVD Description
A heap-based buffer overflow vulnerability exists in the exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By sending specially…
more
crafted data, a remote attacker can corrupt heap memory, potentially causing a denial of service or enabling arbitrary code execution depending on the memory layout and exploitation techniques used. This vulnerability is similar in nature to CVE-2025-34522 but affects a separate code path or component. No user interaction is required, and exploitation occurs in the context of the vulnerable process. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.
Deeper analysisAI
CVE-2025-34523 is a heap-based buffer overflow vulnerability in the network-facing input handling routines of Arcserve Unified Data Protection (UDP), stemming from improper bounds checking on attacker-controlled input (CWE-122). It affects all UDP versions prior to 10.2 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw is reachable without authentication and occurs in the context of the vulnerable process, with no user interaction required. It shares similarities with CVE-2025-34522 but impacts a distinct code path.
A remote attacker can exploit this vulnerability by sending specially crafted data over the network, leading to heap memory corruption. Depending on memory layout and exploitation techniques, this may result in denial of service or arbitrary code execution.
The Arcserve security bulletin at https://support.arcserve.com/s/article/Important-Security-Bulletin-Must-read-for-all-Arcserve-UDP-customers-on-all-versions states that UDP 10.2 includes the necessary patches with no further action required. Supported versions 8.0 through 10.1 require patch application or upgrade to 10.2, while unsupported versions 7.x and earlier must be upgraded to 10.2 for remediation.
Details
- CWE(s)