Critical Vulnerability Discovered in Commvault Command Center
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a severe security vulnerability affecting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog. This move comes shortly after the flaw, identified as CVE-2025-34028, was publicly disclosed. The vulnerability has been assigned a critical CVSS score of 10.0 and is characterized as a path traversal bug that impacts versions 11.38.0 through 11.38.19 of the software. It has since been patched in subsequent releases, specifically 11.38.20 and 11.38.25.
CISA has highlighted the grave nature of the vulnerability, stating that it enables remote, unauthenticated attackers to execute arbitrary code within the Commvault Command Center. This flaw allows attackers to upload ZIP files that, when unpacked on a compromised server, could lead to remote code execution. The underlying issue resides in an endpoint known as “deployWebpackage.do,” which can trigger a pre-authenticated Server-Side Request Forgery (SSRF), effectively allowing the execution of malicious code contained within specially crafted ZIP files.
While the specifics of the exploit remain unclear, this marks the second instance of a Commvault vulnerability being weaponized in real-world attacks, following the recent CVE-2025-3928. This earlier vulnerability allowed authenticated attackers to create and execute web shells, highlighting a concerning trend in the security posture of Commvault’s software environment. The company reported that while these exploits have impacted a small number of customers, there have been no indications of unauthorized access to backup data.
In response to the critical nature of CVE-2025-34028, federal agencies under the Federal Civilian Executive Branch (FCEB) are mandated to apply the necessary patches by May 23, 2025, to fortify their networks against potential exploits. The urgency in implementing these updates underscores the ongoing threat posed by this vulnerability.
Commvault has also issued an advisory update indicating that remediation is available through the installation of the fixed versions, along with supplemental updates. Notably, security researcher Will Dormann raised concerns over potential issues in patch deployment, emphasizing that merely updating to the latest software versions does not adequately address the vulnerability without specific additional updates.
The situation is further complicated by the fact that the 11.38 version of Commvault is categorized as an “Innovation Release,” requiring customer registration to access updates. This may inadvertently exclude users deploying Commvault 11.38 through cloud platforms like Azure from timely access to critical patches, creating a knowledge gap that could jeopardize cybersecurity.
This vulnerability incident showcases the ongoing risks associated with cloud software and the importance of diligent cybersecurity practices among business owners. Utilizing frameworks such as the MITRE ATT&CK Matrix, relevant tactics like initial access, exploitation of vulnerabilities, and execution tactics can be identified to understand the potential threat landscape.
This growing concern necessitates that organizations remain vigilant and proactive in addressing identified vulnerabilities to mitigate the risks of future cyberattacks effectively. It is paramount for business owners to prioritize regular software updates and ensure they are equipped with the latest security patches to defend against such critical vulnerabilities.
