CVE-2015-4068
CVE-2015-4068
Vexday Risk Score
70High priority
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.1EPSS 63.6%KEV simPoC —Nuclei —Metasploit —Patch —
Lifecycle
29 May 2015Published on NVD
25 Mar 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
A flaw in Arcserve UDP allows attackers to access files outside their intended directory by sending specially crafted requests to specific servlets, potentially exposing sensitive data or crashing the service.
Technical detail
Directory traversal vulnerability in reportFileServlet and exportServlet allows unauthenticated remote attackers to escape file path restrictions via path manipulation (CWE-22), enabling unauthorized file access and DoS. Affects Arcserve UDP versions before 5.0 Update 4.
Summary generated and translated by AI from the official description.
Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://documentation.arcserve.com/Arcserve-UDP/Available/V5/ENU/Bookshelf_Files/HTML/Update%204/UDP_Update4_ReleaseNotes.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4068http://www.securityfocus.com/bid/74845http://www.zerodayinitiative.com/advisories/ZDI-15-241/http://www.zerodayinitiative.com/advisories/ZDI-15-242/