CVE-2023-41999: 
Arcserve Unified Data Protection vulnerability analysis and mitigation

An authentication bypass vulnerability (CVE-2023-41999) exists in Arcserve UDP versions prior to 9.2. The vulnerability was discovered by Tenable researchers and disclosed to Arcserve in August 2023. This critical vulnerability allows an unauthenticated, remote attacker to obtain a valid authentication identifier that enables them to authenticate to the management console and perform tasks requiring authentication (Tenable Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability specifically affects the management console's authentication mechanism, where attackers can exploit the ValidateUserByUUID() function to obtain valid authentication UUIDs. Once authenticated, attackers can perform administrative actions, including accessing 'Edge Account' credentials (Tenable Advisory).

The successful exploitation of this vulnerability allows attackers to gain unauthorized access to the management console with administrative privileges. Once authenticated, attackers can perform any actions that require authentication, including accessing sensitive administrative credentials and potentially compromising the entire system (Help Net Security).

Organizations are strongly recommended to upgrade to Arcserve UDP version 9.2 or later. For environments that cannot upgrade to version 9.2, Arcserve has released manual patches for older supported versions: UDP 9.1 (P00002967), UDP 8.1 (P00002968), and UDP 7.0 Update 2 (P00002983). These patches must be applied individually to each node (Tenable Advisory).