Critical Remote Code Execution (CVE-2025-34028) in Commvault Command Center • William OGOU Cybersecurity Blog

A severe security flaw has been uncovered in Commvault Command Center, a widely used platform for data protection and cyber resilience. This vulnerability, tracked as CVE-2025-34028, carries a critical CVSS score of 9.0 out of 10.0, and it allows unauthenticated remote attackers to execute arbitrary code on affected assets. This isn’t a vulnerability to delay addressing; it could lead to a complete compromise of your Commvault environment, putting your critical backup data at extreme risk.

The Exploit Chain: From Path Traversal to RCE

Disclosed by watchTowr Labs researcher Sonny Macdonald, the vulnerability chain is particularly dangerous because it doesn’t require any authentication to initiate. The core issue lies in an endpoint (/commandcenter/deployWebPackage.do) vulnerable to a pre-authenticated Server-Side Request Forgery (SSRF), with insufficient filtering of host targets.

This SSRF vulnerability is then escalated:

An attacker sends a crafted HTTP request to the vulnerable endpoint, coercing the Commvault instance to fetch a malicious ZIP file from an external server controlled by the attacker.
Due to a Path Traversal flaw (CWE-22 - Improper Limitation of a Pathname to a Restricted Directory), the contents of the ZIP file can be unzipped into a controlled directory on the Commvault server.
If the ZIP file contains a malicious file (like a .JSP shell), the attacker can then trigger its execution via the previously established SSRF vulnerability, achieving Remote Code Execution without needing to log in.

This sophisticated chain turns a seemingly simple file fetching endpoint into a critical attack vector.

Impact and Remediation: Patch Immediately!

The vulnerability impacts Commvault Command Center 11.38 Innovation Release, specifically versions 11.38.0 through 11.38.19. Successful exploitation grants attackers arbitrary code execution privileges, potentially leading to sensitive data exfiltration, service disruption, or further lateral movement within the network. Given that backup software holds an organization’s most valuable data, the compromise of the Command Center is a severe incident.

Commvault has released patches to address CVE-2025-34028. The vulnerability is resolved in versions 11.38.20 and 11.38.25 and above.

Organizations running affected versions of Commvault Command Center should prioritize applying the necessary updates immediately. This is a critical vulnerability being actively highlighted by security researchers, and delaying patching leaves your primary data protection system open to attack.

To further enhance your cybersecurity posture, contact me on LinkedIn Profile or [email protected]

Frequently Asked Questions (FAQ)

What is CVE-2025-34028? CVE-2025-34028 is a critical security vulnerability (CVSS 9.0) affecting Commvault Command Center that allows unauthenticated remote attackers to execute arbitrary code due to a combination of SSRF and Path Traversal flaws.
Which Commvault versions are affected? The vulnerability affects Commvault Command Center versions 11.38.0 through 11.38.19 of the 11.38 Innovation Release.
How is CVE-2025-34028 exploited? It’s exploited by chaining a pre-authenticated Server-Side Request Forgery (SSRF) flaw with a Path Traversal vulnerability, allowing an attacker to upload and execute a malicious file (like a JSP web shell) on the Commvault server.
When was the patch for CVE-2025-34028 released? Commvault released a fix for the vulnerability on April 10, 2025, with an advisory published on April 17, 2025. Versions 11.38.20, 11.38.25, and above are patched.
Who discovered this vulnerability? The vulnerability was discovered and reported by Sonny Macdonald of watchTowr Labs.

Resources