CVE-2006-6076

BrightStor ARCserve Backup < 11.5 - Remote Code Execution via RPC Request to Tape Engine

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2006-6076. PoCs published by Metasploit, MC, MC, aushack, including Metasploit module exploits/windows/brightstor/tape_engine_0x8a.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in CA BrightStor ARCserve Tape Engine via a crafted DCERPC request. It leverages SEH overwrites to achieve remote code execution on vulnerable versions.

Description

Buffer overflow in the Tape Engine (tapeeng.exe) in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to execute arbitrary code via certain RPC requests to TCP port 6502.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16407

This exploit targets a stack buffer overflow in CA BrightStor ARCserve Tape Engine via a crafted DCERPC request. It leverages SEH overwrites to achieve remote code execution on vulnerable versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CA BrightStor ARCserve Backup r11.1 - r11.5
No auth needed
Prerequisites: Network access to target on port 6502 · Vulnerable version of CA BrightStor ARCserve
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/tape_engine_0x8a.rb

This Metasploit module exploits a stack buffer overflow in CA BrightStor ARCserve Tape Engine via a crafted DCERPC request to opcode 0x8A, allowing arbitrary code execution. It targets BrightStor ARCserve r11.1-r11.5 on Windows 2003.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CA BrightStor ARCserve Backup r11.1 - r11.5
No auth needed
Prerequisites: Network access to target on port 6502 · Vulnerable version of CA BrightStor ARCserve
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by MC, aushack · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/tape_engine.rb

This Metasploit module exploits a stack buffer overflow in CA BrightStor ARCserve Tape Engine via a crafted DCERPC request, allowing arbitrary code execution. It targets versions r11.1 to r11.5 by leveraging SEH overwrites.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CA BrightStor ARCserve Backup r11.1 - r11.5
No auth needed
Prerequisites: Network access to target on port 6502 · Vulnerable version of CA BrightStor ARCserve
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21221
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/452318/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30453
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24512
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/456711
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017268
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23060
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4654
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/452222/100/0/threaded
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/437300

Scores

EPSS 0.6899
EPSS Percentile 99.3%

Details

Status published
Products (7)
broadcom/brightstor_arcserve_backup 11.1
broadcom/brightstor_arcserve_backup 11.5 sp1
broadcom/brightstor_arcserve_backup < 11.5
ca/brightstor_arcserve_backup 11
ca/brightstor_arcserve_backup 11.1
ca/brightstor_arcserve_backup_agent 11.0
ca/brightstor_arcserve_backup_agent 11.1
Published Nov 24, 2006
Tracked Since Feb 18, 2026