Description
UDP Console provided by Arcserve contains an incorrectly specified destination in a communication channel vulnerability. When a user configures an activation server hostname of the affected product to a dummy URL, the product may unintentionally communicate with the dummy domain, causing information disclosure.
Published: 2026-04-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Arcserve UDP Console has a flaw that allows the activation server hostname to be set to an incorrect or dummy URL. When this occurs, the product will communicate with the unintended domain and can expose internal information through that channel. The weakness stems from using untrusted input to control the destination of a communication channel, as identified by CWE-941.

Affected Systems

The vulnerability affects the Arcserve UDP Console product. No specific version numbers are provided in the advisory, so all releases of Arcserve UDP Console that allow external activation server configuration are potentially impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk level. Exploitability is unclear because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, an attacker must gain the ability to alter the activation server hostname, which likely requires privileged access to the console or compromise of configuration files. The impact is information disclosure rather than code execution or denial of service, limiting the scope but still posing a confidentiality risk.

Generated by OpenCVE AI on April 16, 2026 at 08:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest security patch or upgrade to a fixed version of Arcserve UDP Console if available.
  • Review and correct any activation server hostname settings so that only valid, trusted domains are used.
  • Configure network perimeter rules or use a firewall to block outbound traffic to unauthorized or external domains that are not part of the normal operation of the UDP Console.

Generated by OpenCVE AI on April 16, 2026 at 08:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Arcserve
Arcserve udp Console
Vendors & Products Arcserve
Arcserve udp Console

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Title Incorrect Destination Specification Leading to Unintended Communication and Information Disclosure in Arcserve UDP Console

Thu, 16 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description UDP Console provided by Arcserve contains an incorrectly specified destination in a communication channel vulnerability. When a user configures an activation server hostname of the affected product to a dummy URL, the product may unintentionally communicate with the dummy domain, causing information disclosure.
Weaknesses CWE-941
References
Metrics cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Arcserve Udp Console
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-16T13:00:56.282Z

Reserved: 2026-04-09T04:39:51.927Z

Link: CVE-2026-40118

cve-icon Vulnrichment

Updated: 2026-04-16T13:00:52.978Z

cve-icon NVD

Status : Received

Published: 2026-04-16T05:16:14.860

Modified: 2026-04-16T05:16:14.860

Link: CVE-2026-40118

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:11:54Z

Weaknesses