Arcserve UDP - Authentication Bypass (CVE-2023-26258)

CVE-2023-26258 is a critical authentication bypass vulnerability in Arcserve UDP through version 9.0.6034, where the getVersionInfo method leaks an AuthUUID token. Attackers can exploit this flaw to obtain a valid administrator session and execute any task with full privileges, potentially leading to complete system compromise.

CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2023-26258 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. CrowdSec data also reveals a clear uptick in attacks involving CVE-2023-26258 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit Arcserve UDP servers by sending crafted SOAP requests to endpoints such as /WebServiceImpl/services/FlashServiceImpl and /WebServiceImpl/services/VirtualStandbyServiceImpl to bypass authentication and obtain administrative session tokens. These endpoints are targeted to leak sensitive tokens and escalate privileges without valid credentials.