Critical Veritas Vulnerability

A critical security flaw in Veritas’ Arctera InfoScale product line has exposed enterprise systems to remote code execution (RCE) attacks, underscoring persistent risks in disaster recovery infrastructure. 

Tracked as CVE-2025-27816, the vulnerability (CVSS v3.1 score: 9.8) resides in the Windows Plugin_Host service, a component activated when configuring applications for Disaster Recovery (DR) via InfoScale’s DR wizard. 

Attackers exploiting this flaw could bypass authentication mechanisms and execute arbitrary code by sending maliciously crafted .NET remoting messages to vulnerable endpoints.

Critical Veritas Vulnerability

The vulnerability stems from insecure deserialization (CWE-502) within the .NET remoting interface of the Plugin_Host service. 

Deserialization—the process of converting serialized data back into objects—becomes hazardous when untrusted inputs are processed without validation. 

In this case, the Plugin_Host service deserializes messages without verifying their integrity, enabling attackers to inject malicious object payloads.

The affected service runs by default on all Windows servers with Arctera InfoScale installations but is only functionally required when DR configurations are managed through the GUI-based wizard. 

This narrows the attack surface to environments using automated DR workflows. Successful exploitation could grant attackers SYSTEM-level privileges, compromising entire clusters.

Mitigations

Veritas confirmed the vulnerability impacts Arctera InfoScale Enterprise for Windows versions 7.0 through 8.0.2. 

Legacy, unsupported versions are also susceptible. To mitigate risks, administrators must either:

  • Disable the Plugin_Host service across all cluster nodes.
  • Configure DR manually without invoking the vulnerable component.

Organizations opting for manual DR configuration must follow Veritas’ guidelines to avoid reactivating the endpoint.

Security researcher Sina Kheirkhah of watchTowr Labs, who is credited with discovering the flaw, noted, “Insecure deserialization remains a pervasive threat.

Developers often underestimate how trivial it is to weaponize gadget chains in .NET environments”. CVE-2025-27816 exemplifies how deprecated technologies can resurface as critical threats in modern infrastructures. 

With a CVSS score reflecting “exploitability without specialized access,” organizations must act swiftly to disable vulnerable services and audit disaster recovery workflows. 

As watchTowr’s research underscores, proactive defense, not just patching, is essential in an era when attackers rapidly weaponize such flaws.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Guru Baran
Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
Facebook Linkedin