Arcserve UDP - Authentication Bypass (CVE-2023-26258)

CVE-2023-26258 is a critical authentication bypass vulnerability in Arcserve UDP through version 9.0.6034, where the getVersionInfo method leaks an AuthUUID token. Attackers can exploit this flaw to obtain a valid administrator session and execute any task with full privileges, potentially leading to complete system compromise.

CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2023-26258 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. CrowdSec network telemetry also shows that exploitation of CVE-2023-26258 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit Arcserve UDP servers by sending crafted SOAP requests to endpoints such as /WebServiceImpl/services/FlashServiceImpl and /WebServiceImpl/services/VirtualStandbyServiceImpl to bypass authentication and obtain administrative session tokens. These endpoints are targeted to leak sensitive tokens and escalate privileges without valid credentials.