CVE-2025-34520: 
Arcserve Unified Data Protection vulnerability analysis and mitigation

An authentication bypass vulnerability (CVE-2025-34520) was discovered in Arcserve Unified Data Protection (UDP). The vulnerability was disclosed on August 27, 2025, affecting all UDP versions prior to 10.2. This critical security flaw allows unauthenticated attackers to gain unauthorized access to protected functionality and administrator-level features (NVD, Watchtowr Labs).

The vulnerability allows attackers to bypass login mechanisms without valid credentials by manipulating specific request parameters or exploiting a logic flaw in the authentication system. The severity of this vulnerability is rated as CRITICAL with a CVSS v3.1 Base Score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Under CVSS v4.0, it received a score of 7.7 HIGH (Vector: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) (NVD).

The vulnerability enables unauthorized access to administrator-level features and protected functionality within Arcserve UDP. This could potentially lead to complete system compromise, as attackers can gain unauthorized access to user accounts and administrative functions without requiring valid credentials (NVD).

Arcserve has released version 10.2 which includes the necessary patches to address this vulnerability. For supported versions (8.0 through 10.1), users must either apply the available patch or upgrade to version 10.2. Users running versions 7.x and earlier, which are unsupported or out of maintenance, must upgrade to version 10.2 to remediate the issue (NVD).