CVE-2025-34520 HIGH

CVE-2025-34520: Arcserve UDP < 10.2 Authentication Bypass

Vendor Arcserve
Product Unified Data Protection (UDP)
Weakness CWE-288
Published August 27, 2025
Last update May 15, 2026

CVSS base score

7.7/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. By manipulating specific request parameters or exploiting a logic flaw, an attacker can bypass login mechanisms without valid credentials and access administrator-level features. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.

Key dates

02Disclosure timeline

August 27, 2025 CVE published
May 15, 2026 Record updated