Reflected XSS Vulnerability in Arcserve Unified Data Protection Product
CVE-2025-34521

4.8MEDIUM

Key Information:

Vendor: Arcserve
Status: Unified Data Protection (udp)
Vendor: CVE Published:; 27 August 2025

What is CVE-2025-34521?

A reflected cross-site scripting (XSS) vulnerability exists in the web interface of Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows a remote attacker with low privileges to craft malicious links that, if clicked by another user, can execute arbitrary JavaScript in the victim's browser. This exploitation can lead to session hijacking, credential theft, or other malicious impacts on client-side interactions. User interaction is mandatory for successful exploitation, and it occurs within a shared browser context. To mitigate this issue, users with versions 8.0 through 10.1 should apply patches or upgrade to version 10.2, which includes necessary security enhancements. Versions 7.x and earlier are unsupported and must be upgraded to 10.2 to resolve the vulnerability.

Affected Version(s)

Unified Data Protection (UDP) 8.0 <= 10.1

Unified Data Protection (UDP) * <= 7.x

Unified Data Protection (UDP) 10.2

References

https://support.arcserve.com/s/article/Important-Security...

vendor-advisorypatch

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 27, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

watchTowr