Path Traversal Vulnerability in Commvault Command Center by Commvault
CVE-2025-34028
Key Information:
- Vendor
- Commvault
- Status
- Command Center Innovation Release
- Vendor
- CVE Published:
- 22 April 2025
Badges
What is CVE-2025-34028?
CVE-2025-34028 is a critical path traversal vulnerability identified in the Commvault Command Center, a platform used for data management and backup solutions. This vulnerability allows unauthenticated users to upload ZIP files, which, when processed by the server, can lead to remote code execution. The potential exploitation of this vulnerability poses significant risks to organizations relying on Commvault for maintaining their data integrity and security.
Technical Details
The flaw lies in the handling of file uploads within the Commvault Command Center Innovation Release version 11.38. Attackers can exploit this weakness by submitting specially crafted ZIP files, thereby gaining unauthorized access to execute arbitrary code on the server. This scenario indicates a lack of proper input validation and file system controls, making it a serious security concern.
Potential impact of CVE-2025-34028
-
Remote Code Execution: The primary risk associated with this vulnerability is the possibility for attackers to execute malicious code remotely, potentially allowing them to take full control of the affected systems.
-
Data Compromise: Exploitation can lead to unauthorized access to sensitive data stored within the Commvault environment, increasing the risk of data breaches that could expose critical organizational information.
-
Operational Disruption: Successful exploits could result in significant disruptions to normal operations, including data loss, service outages, and potential financial repercussions, as organizations may face extensive recovery efforts and compliance issues following an incident.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Command Center Innovation Release 11.38
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles

Critical Commvault Flaw Allows Full System Takeover - Update NOW
Enterprises using Commvault Innovation Release are urged to patch against CVE-2025-34028. This flaw allows attackers to run code remotely.
1 week ago
Week in review: MITRE ATT&CK v17.0 released, PoC for Erlang/OTP SSH bug is public - Help Net Security
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs
1 week ago

CSA Warns Of Commvault Vulnerability (CVE-2025-34028)
The Cyber Security Agency of Singapore (CSA) has warned users of critical Commvault vulnerability (CVE-2025-34028), urging immediate action.
1 week ago
References
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
- 📰
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved