CVE-2006-5143

CA BrightStor ARCserve Backup <r11.5 SP1 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2006-5143. PoCs published by Metasploit, Winny Thomas, LSsec.com, including Metasploit module exploits/windows/brightstor/message_engine_heap.

AI-analyzed exploit summary This Metasploit module exploits a heap overflow in CA BrightStor ARCserve Backup 11.5 via a crafted DCERPC request to execute arbitrary code. It targets Windows 2000 SP4 English and includes a payload with specific bad character restrictions.

Description

Multiple buffer overflows in CA BrightStor ARCserve Backup r11.5 SP1 and earlier, r11.1, and 9.01; BrightStor ARCserve Backup for Windows r11; BrightStor Enterprise Backup 10.5; Server Protection Suite r2; and Business Protection Suite r2 allow remote attackers to execute arbitrary code via crafted data on TCP port 6071 to the Backup Agent RPC Server (DBASVR.exe) using the RPC routines with opcode (1) 0x01, (2) 0x02, or (3) 0x18; invalid stub data on TCP port 6503 to the RPC routines with opcode (4) 0x2b or (5) 0x2d in ASCORE.dll in the Message Engine RPC Server (msgeng.exe); (6) a long hostname on TCP port 41523 to ASBRDCST.DLL in the Discovery Service (casdscsvc.exe); or unspecified vectors related to the (7) Job Engine Service.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16401

This Metasploit module exploits a heap overflow in CA BrightStor ARCserve Backup 11.5 via a crafted DCERPC request to execute arbitrary code. It targets Windows 2000 SP4 English and includes a payload with specific bad character restrictions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CA BrightStor ARCserve Backup 11.5
No auth needed
Prerequisites: Network access to target on port 6503 · Vulnerable version of CA BrightStor ARCserve Backup
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Winny Thomas · pythonremotewindows
https://www.exploit-db.com/exploits/3495

This exploit targets a stack overflow vulnerability in CA BrightStor's msgeng.exe service via a malformed RPC request. It leverages a heap-based buffer to overwrite EIP and execute a port-binding shellcode on TCP port 4444.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CA BrightStor (msgeng.exe service)
No auth needed
Prerequisites: Network access to target's TCP port 6503 · Vulnerable version of CA BrightStor
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by LSsec.com · pythonremotewindows
https://www.exploit-db.com/exploits/28766

This exploit targets a buffer overflow vulnerability in Computer Associates Brightstor Backup Mediasvr.exe via malformed RPC packets. It leverages a design error in XDR procedure handling to achieve remote code execution by controlling ECX and EAX registers, leading to shellcode execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Computer Associates Brightstor Backup 11.5.2.0 (SP2)
No auth needed
Prerequisites: Network access to the target system · Mediasvr.exe service running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by LSsec.com · cremotewindows
https://www.exploit-db.com/exploits/28765

This exploit targets a buffer overflow vulnerability in CA BrightStor ARCserve Backup v11.5 Message Engine, allowing remote code execution via a crafted DCE/RPC request. It includes a bind shell payload and demonstrates the overflow by manipulating the stub data.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CA BrightStor ARCserve Backup v11.5
No auth needed
Prerequisites: Network access to the target system · DCE/RPC service exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/message_engine_heap.rb

This Metasploit module exploits a heap overflow in CA BrightStor ARCserve Backup 11.5 via a crafted DCERPC request to execute arbitrary code. It targets Windows 2000 SP4 with a specific return address and uses a standard payload delivery mechanism.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CA BrightStor ARCserve Backup 11.5
No auth needed
Prerequisites: Network access to target on port 6503 · Vulnerable version of CA BrightStor ARCserve Backup
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (27)

Core 27
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/29364
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447862/100/100/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22285
Various Sources x_refsource_misc
http://www.lssec.com/advisories/LS-20060330.pdf
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447930/100/200/threaded
Various Sources x_refsource_misc
http://www.lssec.com/advisories/LS-20060313.pdf
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/361792
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447926/100/200/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017004
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/860048
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/3930
Various Sources x_refsource_misc
http://www.lssec.com/advisories/LS-20060220.pdf
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20365
Patch, Vendor Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-06-030.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447847/100/200/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447927/100/200/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017006
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017003
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017005
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447839/100/100/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447848/100/100/threaded

Scores

EPSS 0.7838
EPSS Percentile 99.5%

Details

CWE
CWE-119
Status published
Products (7)
broadcom/brightstor_arcserve_backup 9.01
broadcom/brightstor_arcserve_backup 11.1
broadcom/brightstor_arcserve_backup < 11.5
broadcom/brightstor_enterprise_backup 10.5
broadcom/business_protection_suite 2.0
broadcom/server_protection_suite 2
ca/brightstor_arcserve_backup 11
Published Oct 10, 2006
Tracked Since Feb 18, 2026