CVE-2026-40118
Information Disclosure via Misconfigured UDP Console in Arcserve
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arcserve | udp_console | 10.3 |
| arcserve | udp_console | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-941 | The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40118 is a vulnerability in Arcserve UDP Console version 10.3 related to offline activation traffic.
The issue occurs because the communication channel has an incorrectly specified destination, allowing the activation server hostname to be set to a dummy URL.
When this happens, the UDP Console may unintentionally send communication to the dummy domain, which can lead to information disclosure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Arcserve UDP Console may cause unintentional communication with a dummy domain, potentially leading to information disclosure. This exposure of sensitive information could impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized disclosure.
However, the provided information does not explicitly discuss the direct effects on compliance with these standards or any regulatory implications.
How can this vulnerability impact me? :
If a user configures the activation server hostname incorrectly to a dummy or malicious URL, the UDP Console may redirect communication to that domain.
This redirection can cause sensitive information to be disclosed unintentionally.
The vulnerability has a moderate severity level with a CVSS v3 base score of 6.3, indicating it can be exploited remotely without privileges but requires user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Arcserve UDP Console communicating with an incorrectly specified activation server hostname, potentially redirecting traffic to a dummy or malicious domain.
To detect this vulnerability on your network or system, monitor network traffic from the Arcserve UDP Console for any unexpected communication attempts to unknown or dummy URLs configured as activation servers.
Specifically, you can use network monitoring tools or commands to capture and analyze outbound UDP or TCP traffic from the UDP Console process.
- Use packet capture tools like tcpdump or Wireshark to filter traffic from the UDP Console host, for example: tcpdump -i <interface> host <udp_console_ip> and look for DNS queries or connections to suspicious or dummy domains.
- On Windows systems, use netstat to check for active connections from the UDP Console process: netstat -ano | findstr <udp_console_process_id> and verify the remote addresses.
- Check the configuration of the activation server hostname in the UDP Console settings to ensure it is not set to a dummy or incorrect URL.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch provided by Arcserve, referenced as P00003790, which addresses the offline activation vulnerability in UDP Console version 10.3.
Additionally, verify and correct the activation server hostname configuration in the UDP Console to ensure it is set to a legitimate and trusted URL, avoiding dummy or incorrect domains.
Monitor network traffic for any suspicious communication attempts and restrict outbound connections from the UDP Console to only trusted servers if possible.