Path Traversal Vulnerability in Commvault Command Center by Commvault
CVE-2025-34028

10CRITICAL

Key Information:

Vendor
Commvault
Status
Command Center Innovation Release
Vendor
CVE Published:
22 April 2025

Badges

📈 Trended📈 Score: 1,800👾 Exploit Exists🦅 CISA Reported📰 News Worthy

What is CVE-2025-34028?

CVE-2025-34028 is a critical path traversal vulnerability identified in the Commvault Command Center, a platform used for data management and backup solutions. This vulnerability allows unauthenticated users to upload ZIP files, which, when processed by the server, can lead to remote code execution. The potential exploitation of this vulnerability poses significant risks to organizations relying on Commvault for maintaining their data integrity and security.

Technical Details

The flaw lies in the handling of file uploads within the Commvault Command Center Innovation Release version 11.38. Attackers can exploit this weakness by submitting specially crafted ZIP files, thereby gaining unauthorized access to execute arbitrary code on the server. This scenario indicates a lack of proper input validation and file system controls, making it a serious security concern.

Potential impact of CVE-2025-34028

  1. Remote Code Execution: The primary risk associated with this vulnerability is the possibility for attackers to execute malicious code remotely, potentially allowing them to take full control of the affected systems.

  2. Data Compromise: Exploitation can lead to unauthorized access to sensitive data stored within the Commvault environment, increasing the risk of data breaches that could expose critical organizational information.

  3. Operational Disruption: Successful exploits could result in significant disruptions to normal operations, including data loss, service outages, and potential financial repercussions, as organizations may face extensive recovery efforts and compliance issues following an incident.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Command Center Innovation Release 11.38

News Articles

Critical Commvault Flaw Allows Full System Takeover - Update NOW

Enterprises using Commvault Innovation Release are urged to patch against CVE-2025-34028. This flaw allows attackers to run code remotely.

1 week ago

Week in review: MITRE ATT&CK v17.0 released, PoC for Erlang/OTP SSH bug is public - Help Net Security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs

1 week ago

CSA Warns Of Commvault Vulnerability (CVE-2025-34028)

The Cyber Security Agency of Singapore (CSA) has warned users of critical Commvault vulnerability (CVE-2025-34028), urging immediate action.

1 week ago

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🦅

    CISA Reported

  • 📈

    Vulnerability started trending

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sonny
watchTowr
.