CVE-2024-0799 Overview
CVE-2024-0799 is an authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) versions 8.1 and 9.2. The flaw resides in the doLogin() function inside edge-app-base-webui.jar at com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl, reachable through the wizardLogin interface. Remote unauthenticated attackers can bypass authentication over the network without user interaction. Successful exploitation grants access to the UDP management interface, exposing backup data and recovery operations to manipulation. The vulnerability is tracked under CWE-287 (Improper Authentication).
Critical Impact
Unauthenticated remote attackers can bypass login on Arcserve UDP 8.1 and 9.2, gaining administrative access to backup infrastructure and stored data.
Affected Products
- Arcserve Unified Data Protection 8.1
- Arcserve Unified Data Protection 9.2
- Deployments exposing the UDP web management interface
Discovery Timeline
- 2024-03-13 - CVE-2024-0799 published to NVD
- 2025-10-14 - Last updated in NVD database
Technical Details for CVE-2024-0799
Vulnerability Analysis
The vulnerability resides in the Arcserve UDP web management console, specifically in the Java servlet handling wizard-based logins. The affected code path is the doLogin() method within EdgeLoginServiceImpl, packaged inside edge-app-base-webui.jar. The component fails to properly validate authentication credentials when accessed through the wizardLogin entry point.
Arcserve UDP is enterprise backup and disaster recovery software. Compromise of its management plane allows attackers to read, alter, or destroy backup data. Attackers can also pivot to protected systems by abusing legitimate recovery workflows.
The Exploit Prediction Scoring System (EPSS) places this issue in the top percentile of vulnerabilities likely to be exploited, indicating active attacker interest despite the absence of a public proof-of-concept at disclosure.
Root Cause
The doLogin() function processes authentication requests received through the wizard login path without enforcing the expected credential validation logic. Authenticated session state can be obtained without supplying valid credentials, satisfying the conditions for [CWE-287] Improper Authentication.
Attack Vector
An attacker sends a crafted HTTP request to the wizardLogin endpoint exposed by the UDP web UI. The request traverses the vulnerable EdgeLoginServiceImpl.doLogin() path, which returns an authenticated session without verifying user identity. No prior account, privilege, or user interaction is required. Refer to the Tenable Research Advisory for technical details on the request structure and conditions.
Detection Methods for CVE-2024-0799
Indicators of Compromise
- Unexpected successful authentication events to the Arcserve UDP management console from external or non-administrative source IPs.
- HTTP requests targeting the wizardLogin path or referencing EdgeLoginServiceImpl in server access logs.
- New or modified backup jobs, restore tasks, or administrative account changes that cannot be attributed to authorized operators.
- Outbound connections from UDP servers to unfamiliar destinations following web console access.
Detection Strategies
- Inspect Arcserve UDP web server access logs for requests to wizard login URLs originating from untrusted networks.
- Correlate authentication events on UDP hosts with corresponding network flow data to identify sessions established without valid credential exchange.
- Alert on configuration changes to the UDP console, including new administrators, modified retention policies, or disabled backup jobs.
Monitoring Recommendations
- Forward Arcserve UDP application and IIS/Tomcat logs to a centralized log platform for retention and querying.
- Restrict and monitor network access to the UDP management interface, treating any external connection attempt as suspicious.
- Track process execution on UDP servers for anomalous child processes spawned by the Java application server.
How to Mitigate CVE-2024-0799
Immediate Actions Required
- Identify all Arcserve UDP 8.1 and 9.2 installations and confirm version status across the environment.
- Remove the UDP management console from internet exposure and restrict access to a dedicated administrative network segment.
- Rotate credentials and review administrative accounts on UDP servers and connected systems.
- Audit recent backup, restore, and configuration activity for unauthorized changes.
Patch Information
Arcserve has addressed this issue in updates released after the affected 8.1 and 9.2 builds. Administrators should consult the Tenable Research Advisory and Arcserve support channels for the specific fixed build numbers and apply them to all UDP nodes, including agents and replication targets.
Workarounds
- Place the UDP web console behind a VPN or jump host requiring multi-factor authentication.
- Apply firewall rules limiting access to the management TCP ports to known administrator workstations.
- Disable external interfaces on UDP servers until patches are applied.
# Example: restrict access to Arcserve UDP management port using Windows firewall
netsh advfirewall firewall add rule name="Restrict Arcserve UDP Console" ^
dir=in action=block protocol=TCP localport=8014
netsh advfirewall firewall add rule name="Allow Admin Subnet to UDP Console" ^
dir=in action=allow protocol=TCP localport=8014 remoteip=10.10.10.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
