CVE-2015-4068

What Is Arcserve Unified Data Protection?

Arcserve Unified Data Protection (UDP) is enterprise backup, disaster recovery, and high-availability software deployed by organizations to protect servers, virtual machines, and endpoints. UDP's web-based management interface provides centralized backup job management, reporting, and recovery operations — running on a Windows-based management server typically deployed in the data center or server room.

Because Arcserve UDP manages backup infrastructure with privileged access to the organization's stored data and recovery processes, vulnerabilities in its management interface represent high-value targets: attackers who compromise backup infrastructure can access backup credentials, mapped recovery points, and in ransomware scenarios, delete or corrupt backups to deny recovery options.

Overview

CVE-2015-4068 is an unauthenticated directory traversal vulnerability in Arcserve Unified Data Protection (UDP) that allows remote attackers to read arbitrary files from the management server's filesystem or cause denial-of-service conditions. The vulnerability exists in the UDP web management interface's handling of file path parameters — an attacker can traverse outside the intended directory and access sensitive files including configuration data, stored credentials, and system files.

Affected Versions

Arcserve released updates addressing CVE-2015-4068. Contact Arcserve support for specific patched version numbers for your deployed release.

Technical Details

Root Cause: Path Traversal in Web Management Interface

CVE-2015-4068 involves insufficient validation of file path inputs in Arcserve UDP's web management interface (CWE-22). The management server processes HTTP requests where user-supplied path components are used to construct filesystem paths for reading or serving files. When these inputs contain ../ traversal sequences, the server constructs paths that escape the intended directory scope.

An unauthenticated attacker can craft requests such as:

GET /path/to/file/../../sensitive/file HTTP/1.1
Host: <arcserve-server>

The server follows the traversal and reads files outside the intended web root or application directory, returning their contents in the HTTP response.

Impact on Backup Infrastructure

Files accessible via the traversal can include:

• Configuration files — Arcserve UDP database connection strings, administrator credentials, backup job configurations
• System files — Windows system files, registry exports, user account information
• Backup catalog data — metadata about what data has been backed up, recovery points, and storage paths

The availability impact (A:H in CVSS) reflects that certain traversal paths can reference resources that cause the application or service to crash or become unresponsive when read.

Attack Characteristics

Discovery

Disclosed in May 2015. Arcserve subsequently released patched versions of Arcserve UDP.

Exploitation Context

• Backup infrastructure targeting: Attackers targeting enterprise environments specifically probe backup management consoles for vulnerabilities; access to Arcserve UDP credentials or configuration enables follow-on access to backup repositories, which are high-value targets for data theft and ransomware pre-staging
• Pre-ransomware reconnaissance: Ransomware operators commonly enumerate backup infrastructure before deploying ransomware, seeking to delete or corrupt backups to eliminate recovery options and maximize ransom pressure; vulnerabilities like CVE-2015-4068 support this reconnaissance
• Unpatched enterprise software: Enterprise backup products often run on dedicated servers with infrequent patching cycles, making old vulnerabilities persistent in organizational environments years after public disclosure
• CISA KEV (2022): Added March 2022, confirming continued exploitation against unpatched Arcserve UDP deployments

Remediation

1. Apply Arcserve UDP updates — install the latest available Arcserve UDP version that addresses CVE-2015-4068. Check Arcserve's support portal for the specific patched release for your deployed version.

2. Restrict network access to UDP management interface — firewall the UDP web management port (default 8014/8015) to allow access only from authorized administrator workstations. The management interface should never be exposed to the internet.

3. Audit UDP credentials — if the system may have been accessible while vulnerable, rotate all Arcserve UDP administrator passwords and any credentials stored in UDP configuration.

4. Review backup repository access — verify that no unauthorized access occurred to backup data by reviewing UDP audit logs and backup job history for anomalies.

5. Consider network segmentation — deploy backup management servers in a dedicated management network segment with strict access controls, separate from general corporate network access.