Published:2026/04/16 Last Updated:2026/04/16
JVN#88396700
Arcserve UDP Console vulnerable to redirect to a dummy URL
Overview
Offline activation traffic of UDP Console provided by Arcserve may be redirected to a dummy URL.
Products Affected
- UDP Console version 10.3
Description
UDP Console provided by Arcserve contains the following vulnerability.
- Incorrectly specified destination in a communication channel (CWE-941)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Base Score 6.3
- CVE-2026-40118
Impact
When a user configures an activation server hostname of the affected product to a dummy URL, the product may unintentionally communicate with the dummy domain, causing information disclosure.
Solution
Apply the patch
Apply the patch according to the information provided by Arcserve.
Vendor Status
| Vendor | Link |
| Arcserve | P00003790 | Arcserve UDP 10.3 | UDP Console Offline Activation Vulnerability |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Shingo Ando reported this vulnerability to IPA, IPA reported it to Arcserve, and JPCERT/CC coordinated with Arcserve to publish the advisory under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2026-40118 |
| JVN iPedia |
JVNDB-2026-000056 |