CVE-2025-34521: 
Arcserve Unified Data Protection vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability (CVE-2025-34521) was discovered in the web interface of Arcserve Unified Data Protection (UDP). The vulnerability was disclosed on August 27, 2025, affecting all UDP versions prior to 10.2. This security flaw exists due to improper handling of unsanitized user input in HTTP responses (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and a CVSS v4.0 score of 4.8 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability requires low privileges and user interaction for successful exploitation (NVD).

Successful exploitation of this vulnerability can lead to session hijacking, credential theft, and other client-side impacts. The vulnerability occurs within a shared browser context, allowing attackers to execute arbitrary JavaScript in the victim's browser when malicious links are visited (NVD).

Arcserve has released version 10.2 which includes the necessary patches to address this vulnerability. Users running versions 8.0 through 10.1 should either apply the available patch or upgrade to version 10.2. For versions 7.x and earlier, which are unsupported or out of maintenance, users must upgrade to version 10.2 to remediate the issue (Arcserve Advisory).