CVE-2025-34522: 
Arcserve Unified Data Protection vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2025-34522) was discovered in the input parsing logic of Arcserve Unified Data Protection (UDP). The vulnerability was disclosed on August 20, 2025, and affects all UDP versions prior to 10.2. This pre-authentication vulnerability can be triggered by sending specially crafted input to the target system (NVD, Watchtowr Labs).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) resulting from improper bounds checking in the input parsing logic. It has received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 9.2 (CRITICAL). The flaw exists in the core input processing components and can be exploited without requiring authentication or user interaction (NVD).

The vulnerability allows attackers to overwrite heap memory, which can lead to application crashes or remote code execution. The exploitation occurs in the context of the affected process and poses a high risk due to its pre-authentication nature and potential for full system compromise (NVD).

Arcserve has released version 10.2 which includes the necessary patches to address this vulnerability. Users running versions 8.0 through 10.1 should either apply the available patches or upgrade to version 10.2. Systems running versions 7.x and earlier, which are unsupported or out of maintenance, must be upgraded to version 10.2 to remediate the issue (NVD).