Arcserve UDP from version 7.0 to 9.0 allows authentication bypass. The method getVersionInfo in WebServiceImpl/services/FlashServiceImpl exposes the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. It is also possible to obtain administrator credentials.
CVE Link
Exploit Platform
Product Name