CVE-2025-34523: 
Arcserve Unified Data Protection vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2025-34523) exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). The vulnerability is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. This vulnerability affects all UDP versions prior to 10.2 (NVD).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) with a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and CVSS v4.0 score of 9.2 CRITICAL. The flaw stems from improper bounds checking when processing attacker-controlled input in the network-facing components (NVD).

By sending specially crafted data, a remote attacker can corrupt heap memory, potentially causing a denial of service or enabling arbitrary code execution depending on the memory layout and exploitation techniques used. The vulnerability occurs in the context of the vulnerable process and requires no user interaction (NVD).

UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue (NVD).