Cyber Resilience

CVE-2025-34523

CriticalUpdated

Published: 27 August 2025

Published
27 August 2025
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 67.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34523 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Arcserve Udp. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-34523 is a heap-based buffer overflow vulnerability in the network-facing input handling routines of Arcserve Unified Data Protection (UDP), stemming from improper bounds checking on attacker-controlled input (CWE-122). It affects all UDP versions prior to 10.2 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw is reachable without authentication and occurs in the context of the vulnerable process, with no user interaction required. It shares similarities with CVE-2025-34522 but impacts a distinct code path.

A remote attacker can exploit this vulnerability by sending specially crafted data over the network, leading to heap memory corruption. Depending on memory layout and exploitation techniques, this may result in denial of service or arbitrary code execution.

The Arcserve security bulletin at https://support.arcserve.com/s/article/Important-Security-Bulletin-Must-read-for-all-Arcserve-UDP-customers-on-all-versions states that UDP 10.2 includes the necessary patches with no further action required. Supported versions 8.0 through 10.1 require patch application or upgrade to 10.2, while unsupported versions 7.x and earlier must be upgraded to 10.2 for remediation.

EU & UK References

Vulnerability details

A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By sending specially crafted data, a…

more

remote attacker can corrupt heap memory, potentially causing a denial of service or enabling arbitrary code execution depending on the memory layout and exploitation techniques used. This vulnerability is similar in nature to CVE-2025-34522 but affects a separate code path or component. No user interaction is required, and exploitation occurs in the context of the vulnerable process. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated heap buffer overflow in network-facing service directly enables exploitation of a public-facing application for RCE or DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-34522Same product: Arcserve Udp
CVE-2025-34520Same product: Arcserve Udp
CVE-2026-23827Shared CWE-122
CVE-2026-45584Shared CWE-122
CVE-2026-8175Shared CWE-122
CVE-2026-32945Shared CWE-122
CVE-2026-20766Shared CWE-122
CVE-2026-4395Shared CWE-122
CVE-2025-67268Shared CWE-122
CVE-2026-22697Shared CWE-122

Affected Assets

arcserve
udp
7.0 · ≤ 7.0 · 8.0 — 10.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input for proper size and bounds, which would have prevented the heap buffer overflow from attacker-controlled network data.

prevent

Requires memory protection mechanisms that can detect or block heap corruption attempts before they result in DoS or code execution.

prevent

Mandates timely installation of security-relevant patches, directly addressing the requirement to upgrade or patch UDP versions prior to 10.2.

References