CVE-2007-2139

CA BrightStor ARCserve Backup 9.01-11.5 SP2 - Remote Code Execution via Malformed RPC Strings

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-2139. PoCs published by Metasploit, toto, including Metasploit module exploits/windows/brightstor/mediasrv_sunrpc.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA BrightStor Arcserve. It leverages a crafted SUNRPC request to overflow a stack buffer and execute arbitrary code, with specific handling for NX bypass on Windows 2003.

Description

Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightStor ARCserve Backup 9.01 through 11.5 SP2, BrightStor Enterprise Backup 10.5, Server Protection Suite 2, and Business Protection Suite 2, allow remote attackers to execute arbitrary code via malformed RPC strings, a different vulnerability than CVE-2006-5171, CVE-2006-5172, and CVE-2007-1785.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16413

This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA BrightStor Arcserve. It leverages a crafted SUNRPC request to overflow a stack buffer and execute arbitrary code, with specific handling for NX bypass on Windows 2003.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CA BrightStor Arcserve 9.0 - 11.5 SP2
No auth needed
Prerequisites: Network access to the target system · MediaSrv RPC service running on port 0x6097e (TCP)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by toto · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb

This Metasploit module exploits a stack buffer overflow in CA BrightStor ArcServe Media Service via a crafted SUNRPC request, allowing arbitrary code execution. It includes ROP chains to bypass NX on Windows 2003 and targets multiple versions of the software.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: CA BrightStor ARCserve 9.0 - 11.5 SP2
No auth needed
Prerequisites: Network access to the target's RPC service (TCP port 0x6097e) · Vulnerable version of CA BrightStor ArcServe
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/2628
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/979825
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/35326
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24972
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/33854
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/23635
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/466790/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1017952
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1529
Third Party Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-07-022.html

Scores

EPSS 0.7800
EPSS Percentile 99.5%

Details

Status published
Products (7)
broadcom/brightstor_arcserve_backup 9.01
broadcom/brightstor_arcserve_backup 11.1
broadcom/brightstor_arcserve_backup 11.5 sp2
broadcom/business_protection_suite 2.0
broadcom/server_protection_suite 2
ca/brightstor_arcserve_backup 11
ca/business_protection_suite 2.0 (2 CPE variants)
Published Apr 25, 2007
Tracked Since Feb 18, 2026