A critical security vulnerability has been discovered in Veritas’ Arctera InfoScale product line that puts enterprise systems at significant risk. Tracked as CVE-2025-27816, this vulnerability allows remote code execution (RCE) and has received a severity score of 9.8 out of 10. The flaw is due to insecure deserialization (CWE-502) within the .NET remoting interface of the Plugin_Host service, part of InfoScale’s disaster recovery (DR) wizard. When processing untrusted inputs without proper validation, the service can permit attackers to inject malicious code into the system.
The Plugin_Host service, which runs automatically on all Windows servers with Arctera InfoScale installations, becomes an entry point for potential attacks when DR configurations are managed via the GUI-based wizard. Attackers can bypass authentication and execute arbitrary code by sending crafted .NET remoting messages to vulnerable endpoints. This vulnerability is particularly dangerous as successful exploitation could provide attackers with SYSTEM-level privileges, potentially compromising entire clusters of enterprise systems. However, the risk is somewhat limited to environments using automated DR workflows.
Impacted Versions and Mitigation Measures
Veritas has acknowledged that this critical vulnerability impacts Arctera InfoScale Enterprise for Windows versions 7.0 through 8.0.2, which includes legacy, unsupported versions. To mitigate the risks, Veritas recommends that administrators disable the Plugin_Host service on all cluster nodes or configure DR without invoking the vulnerable component. It is crucial to follow Veritas’ guidelines to ensure the service cannot be accidentally reactivated. Disabling the Plugin_Host service will significantly reduce the attack surface and protect the environment from this severe vulnerability.
Security researcher Sina Kheirkhah of watchTowr Labs has underscored the persistent threat that insecure deserialization poses, especially in .NET environments. Organizations are urged to act swiftly to disable vulnerable services, audit their disaster recovery workflows, and not rely solely on patches to address these kinds of threats effectively. Proactive defenses, including regular security audits and adherence to best practices, are essential to safeguard against the potential exploitation of such vulnerabilities.
Call to Action for Organizations
A severe security flaw has been identified in Veritas’ Arctera InfoScale product line, putting enterprise systems in grave danger. Known as CVE-2025-27816, this vulnerability permits remote code execution (RCE) and has a criticality rating of 9.8 out of 10. The issue stems from insecure deserialization (CWE-502) within the .NET remoting interface of the Plugin_Host service, which is part of InfoScale’s disaster recovery (DR) wizard. This flaw occurs when untrusted inputs are processed without proper validation, allowing attackers to inject malicious code.
The Plugin_Host service, which runs by default on all Windows servers with Arctera InfoScale installed, becomes a potential attack vector when DR settings are managed using the GUI-based wizard. Hackers can bypass authentication and execute arbitrary code by sending specially crafted .NET remoting messages to susceptible endpoints. The threat is especially significant because it can grant attackers SYSTEM-level privileges, potentially compromising entire clusters of enterprise systems. However, the risk is somewhat contained to settings utilizing automated DR workflows.
