Arcserve UDP Agent from version 7.0 to 9.0 allows authentication bypass. The method getVersionInfo in WebServiceImpl/services/FlashServiceImpl exposes the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. It is also possible to obtain administrator credentials. Also, the credentials of the ArcServe UDP Agent are added as an identity. This module tries to determine remotely, if the target host is either vulnerable to CVE-2023-26258 or not.
CVE Link
Exploit Platform
Product Name