CVE-2025-32987
📋 TL;DR
Arctera eDiscovery Platform versions before 10.3.2 expose cleartext passwords on command lines when using the Enterprise Vault Collection Module. This allows local users or processes to read sensitive credentials. Organizations using affected versions with this module enabled are vulnerable.
💻 Affected Systems
- Arctera eDiscovery Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with local access could capture administrative passwords, potentially leading to full system compromise, data exfiltration, or lateral movement within the network.
Likely Case
Local users or malicious processes could harvest credentials, leading to unauthorized access to the eDiscovery platform or connected systems.
If Mitigated
With proper access controls and monitoring, impact is limited to credential exposure without successful exploitation.
🎯 Exploit Status
Exploitation requires local access to view process command lines or system logs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.3.2
Vendor Advisory: https://www.veritas.com/support/en_US/security/ARC25-005
Restart Required: Yes
Instructions:
1. Download Arctera eDiscovery Platform version 10.3.2 from Veritas support portal. 2. Backup current configuration and data. 3. Run the installer to upgrade. 4. Restart all Arctera services. 5. Verify functionality of Enterprise Vault Collection Module.
🔧 Temporary Workarounds
Disable Enterprise Vault Collection Module
allTemporarily disable the vulnerable module until patching is possible
# Check Arctera documentation for module disable procedure
Restrict Process Monitoring
allLimit who can view process command lines and system logs
# Implement appropriate OS-level access controls for process monitoring tools
🧯 If You Can't Patch
- Implement strict access controls to limit who can view process command lines and system logs
- Monitor for unusual process creation or command line activity involving EVSearcher
🔍 How to Verify
Check if Vulnerable:
Check Arctera version via admin interface or verify if version is below 10.3.2 with Enterprise Vault Collection Module enabled.Check Version:
# Check Arctera version in web admin interface or configuration filesVerify Fix Applied:
Confirm version is 10.3.2 or higher in admin interface and verify EVSearcher no longer shows passwords in process command lines.📡 Detection & Monitoring
Log Indicators:
- Process creation logs showing EVSearcher with password arguments
- Command line logging containing cleartext passwords
Network Indicators:
- N/A - This is a local information disclosure vulnerability
SIEM Query:
ProcessName="EVSearcher" AND CommandLine CONTAINS "password" OR CommandLine CONTAINS "pwd"