A security company issued an advisory Wednesday afternoon about 10 critical flaws its researchers say they found in CA's client-side backup software.

Marc Maiffret, co-founder and CTO of eEye Digital Security, said researchers found the first flaw in CA's ARCServe Backup for Laptops and Desktops a few weeks ago. After that, he said in an interview with InformationWeek, it was like peeling back the layers of an onion.

"We got looking at one and it just became a landslide," said Maiffret, who said he notified CA (formerly Computer Associates) of the bugs within the past week. "It just kept going and going and going. The software is just that bad, basically."

CA did not immediately respond to a request for comment.

Maiffret said all of the bugs are buffer overflow flaws, and each one received eEye's highest threat rating, since they all allow remote execution. "No user interaction is required," he explained. "Any laptop or desktop [running this CA backup software] connected to a network with an IP address is vulnerable. The user doesn't even have to be sitting at the computer for it to be compromised."

Once a hacker is in the system, the vulnerability enables him to take full control of the system.

CA's security team has been very responsive in working on the flaws with them, he said.

"There's always a risk where there are so many vulnerabilities that hackers will find them, too, before a patch comes out," said Maiffret. "Then you worry about exploits and zero-days. CA has been a big target [for hackers] for a while."