Critical Commvault Flaw (CVE-2025-34028) Lets Hackers Execute Code Remotely

By /
commvault

A serious vulnerability has been discovered in Commvault Command Center, putting many systems at risk of being fully compromised by remote attackers. The flaw, tracked as CVE-2025-34028, allows unauthenticated remote code execution (RCE) – which means attackers can run malicious code without needing to log in.

High-Risk Bug Rated 9.0 CVSS

The vulnerability carries a CVSS severity score of 9.0 out of 10, making it critical. Commvault published a security advisory on April 17, 2025, warning users about the flaw in its Command Center Innovation Release, specifically versions 11.38.0 through 11.38.19.

Commvault stated:

“A critical vulnerability allows remote attackers to execute arbitrary code without authentication. This could lead to full compromise of the Command Center environment.”

Affected Versions and Fixes

The vulnerability has been patched in the following updated versions:

  • 11.38.20

  • 11.38.25

All users running older versions should update immediately to protect their systems.

How the Attack Works

Security researcher Sonny Macdonald from watchTowr Labs discovered and reported the flaw on April 7, 2025. He explained that the issue lies in a vulnerable endpoint called deployWebpackage.do, which fails to properly filter requests. This creates a Server-Side Request Forgery (SSRF) flaw that can be abused without authentication.

Here’s a simplified breakdown of how attackers exploit the flaw:

  1. Send a malicious HTTP request to /commandcenter/deployWebpackage.do, tricking the server into downloading a ZIP file from an attacker-controlled server.

  2. The contents of the ZIP, including a malicious .JSP web shell, are extracted into a temporary folder.

  3. The attacker uses the servicePack parameter to navigate the file structure and place the web shell into a public-facing directory.

  4. The attacker then executes the web shell via another crafted HTTP request, gaining full remote code execution access.

In short, the attacker can upload a backdoor and run any command on the system, even though they aren’t logged in.

Why This Matters

Backup and data management software like Commvault are prime targets for cybercriminals. These systems often hold sensitive data and are deeply integrated into business operations, making them attractive for ransomware attacks, data theft, or espionage.

In recent months, similar products like Veeam and NAKIVO have also faced active exploitation by hackers. This shows a clear trend: threat actors are focusing on backup solutions due to their importance and potential access to entire organizational data sets.

vulnerability

Detection Tools Available

To help system administrators, watchTowr has released a Detection Artefact Generator. This tool helps organizations check if their Commvault installation is vulnerable to CVE-2025-34028. It’s a must-use for any organization that hasn’t yet updated or isn’t sure if their systems are secure.

Commvault’s Recommendations

Commvault has urged all users to upgrade to version 11.38.20 or newer as soon as possible. However, if an immediate update is not possible, the company recommends:

  • Isolating the Command Center from external network access.

  • Monitoring systems for suspicious activity.

  • Using watchTowr’s detection tool to assess exposure.

Timeline of the Vulnerability

  • April 7, 2025 – Flaw discovered by watchTowr.

  • April 10, 2025 – Commvault released a patch.

  • April 17, 2025 – Commvault published a security advisory.

  • April 24, 2025 – watchTowr released a detailed report and a proof-of-concept (PoC) exploit.

  • The CVE ID CVE-2025-34028 was assigned by VulnCheck, a CVE Numbering Authority (CNA).

Technical Root of the Problem

The vulnerability stems from a path traversal issue – a type of flaw where an attacker can access files or directories outside the intended folder. In this case, it lets attackers place malicious files into protected areas and execute them remotely.

This issue affects both Linux and Windows versions of Commvault Command Center.

Summary: Backup Software Needs Better Security

The discovery of CVE-2025-34028 is yet another reminder that backup and replication tools must be treated as high-value assets. Organizations should:

  • Keep software up to date

  • Follow security best practices

  • Regularly audit and monitor backup systems

  • Limit external access to critical admin interfaces

With ransomware groups and state-sponsored hackers targeting backup platforms more frequently, patching vulnerabilities promptly is not just recommended—it’s essential.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Interesting Article : Hackers Use Zoom to Steal Crypto, How Elusive Comet Tricks Victims in Fake Interviews

1 thought on “Critical Commvault Flaw (CVE-2025-34028) Lets Hackers Execute Code Remotely”

  1. Pingback: Zero-Day SAP Vulnerability CVE-2025-31324 Under Active Exploitation

Comments are closed.

Scroll to Top