Remote Code Execution Vulnerabilities in Arctera/Veritas Enterprise Vault

Revision History

• 1.0: November 15, 2024: Initial version
• 2.0: December 3, 2024: CVE IDs, Version 14.5.2, and Discovery Accelerator, and Compliance Accelerator/Veritas Surveillance added
• 3.0: June 16, 2025: Updated issue and technote in Mitigation

Description

Arctera/Veritas has discovered an issue where Arctera/Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault, Discovery Accelerator, and Compliance Accelerator/Veritas Surveillance Server.

Issue

• CVE ID: See above
• Severity: Critical
• CVSS v3.1 Base Score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP ports can be exploited due to vulnerabilities that are inherent to the .NET Remoting service. A malicious attacker can exploit remoting services on the Enterprise Vault server, eDiscovery (formerly Discovery Accelerator) and Surveillance (formerly Compliance Accelerator) servers. If a malicious attacker sends specially crafted data through these vulnerable endpoints, it could result in remote code execution.

Prerequisites

For a successful attack, the following conditions must be fulfilled: 

Attacker privileges

• The malicious actor is a valid domain user in the same Active Directory domain (or a trusted domain in the same forest) where the Enterprise Vault servers reside.
• The attacker account is a member of the Remote Desktop Users group, granting RDP access to at least one VM on the network.

Network and service exposure

• The attacker knows the IP address of the Enterprise Vault server.
• The attacker has access to:
  • The process IDs of the vulnerable Enterprise Vault processes (and the dynamic TCP ports on which they expose .NET Remoting endpoints)
  • The URIs for Enterprise Vault’s remotable objects
• Firewall or other network controls permit traffic from the attacker’s VM to those TCP ports on the Enterprise Vault server.

Affected Versions
All currently supported versions of Enterprise Vault versions: 15.1, 15.0, 15.0.1, 15.0.2, 14.5, 14.5.2, 14.5.1, 14.4, 14.4.1, 14.4.2, 14.3, 14.3.1, 14.3.2, 14.2, 14.2.3, 14.2.2, 14.2.1, 14.1.3, 14.1.2, 14.1.1, 14.1, 14.0.1, 14.0. Earlier unsupported versions may be affected as well.

Mitigation

The Enterprise Vault server can be protected from .NET Remoting attacks by applying the following guidelines provided in technote: https://www.veritas.com/support/en_US/article.100074432

Arctera plans to remediate these vulnerabilities in Enterprise Vault 15.2, with General Availability expected in the third quarter of CY25.

Questions

For questions or problems regarding these vulnerabilities please contact Arctera Technical Support (https://www.arctera.io/support)

Acknowledgement

Arctera would like to thank Sina Kheirkhah working with Trend Micro’s Zero Day Initiative (ZDI) for notifying us of these vulnerabilities.

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.   ARCTERA US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Arctera US LLC
6200 Stoneridge Mall Road, Suite 150
Pleasanton, CA 94588