- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
Critical Flaw Exposes ArcServe Backup to Remote Code Execution
A recent adversary simulation conducted by the MDSec ActiveBreach red team uncovered a critical vulnerability in ArcServe UDP Backup software.
Tracked CVE-2023-26258, the flaw affects versions 7.0 to 9.0 of the software and allows for remote code execution (RCE), posing a significant risk to organizations relying on the software for backup infrastructure.
“The importance of ensuring the security of backup systems cannot be overstated; it should […] be perceived with equal, if not greater, significance than operational production systems which it supports,” said Michael Skelton, senior director of security operations at Bugcrowd.
According to the security expert, in the event of a security breach, these backup systems may be specifically targeted for destruction, rendering the production systems unusable.
“This compromising situation could potentially render any form of data recovery and system rebuilding unachievable,” Skelton added.
Read more about these attack scenarios: Backup Repositories Targeted in 93% of Ransomware Attacks
During the MDSec simulation, security analysts Juan Manuel Fernandez and Sean Doherty identified an authentication bypass flaw that allowed access to the software’s administration interface.
By intercepting and modifying a specific HTTP request, attackers could redirect the software to contact an HTTP server under their control, granting unauthorized access.
Once inside, the red team discovered additional techniques to extract sensitive information, including the administrator password. Exploiting the flaw and subsequent password retrieval highlighted the critical need for a security patch.
“If your data protection solution is architected properly, your backups are ultimately protected with more than one identity source,” commented Brandon Williams, chief technology officer at Conversant Group.
“Backup strategies should ideally prevent access, but also provide immutability, redundancy, recoverability, and resilience – multiple layers of security controls.”
The MDSec team reportedly disclosed the vulnerability to ArcServe on February 2, and after a lengthy process, a patch was released on June 27 2023, addressing the issue. However, concerns were raised regarding the lack of proper credits given to the security researchers.
Users are strongly advised to update their ArcServe UDP Backup software to the latest version to mitigate the risk of exploitation.