Path Traversal Vulnerability in Commvault Command Center by Commvault
CVE-2025-34028
Key Information:
- Vendor
Commvault
- Vendor
- CVE Published:
- 22 April 2025
Badges
What is CVE-2025-34028?
CVE-2025-34028 is a critical path traversal vulnerability identified in the Commvault Command Center, a platform used for data management and backup solutions. This vulnerability allows unauthenticated users to upload ZIP files, which, when processed by the server, can lead to remote code execution. The potential exploitation of this vulnerability poses significant risks to organizations relying on Commvault for maintaining their data integrity and security.
Technical Details
The flaw lies in the handling of file uploads within the Commvault Command Center Innovation Release version 11.38. Attackers can exploit this weakness by submitting specially crafted ZIP files, thereby gaining unauthorized access to execute arbitrary code on the server. This scenario indicates a lack of proper input validation and file system controls, making it a serious security concern.
Potential impact of CVE-2025-34028
-
Remote Code Execution: The primary risk associated with this vulnerability is the possibility for attackers to execute malicious code remotely, potentially allowing them to take full control of the affected systems.
-
Data Compromise: Exploitation can lead to unauthorized access to sensitive data stored within the Commvault environment, increasing the risk of data breaches that could expose critical organizational information.
-
Operational Disruption: Successful exploits could result in significant disruptions to normal operations, including data loss, service outages, and potential financial repercussions, as organizations may face extensive recovery efforts and compliance issues following an incident.
CISA has reported CVE-2025-34028
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-34028 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Command Center Innovation Release 11.38.0 <= 11.38.25
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Commvault: Vulnerability Patch Works as Intended
The security researcher who questioned the effectiveness of a patch for recently disclosed bug in Commvault Command Center did not test patched version, the company says.
2 weeks ago
CISA (.gov)CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation
2 weeks ago
Researcher Says Fixed Commvault Bug Still Exploitable
CISA added CVE-2025-34028 to its Known Exploited Vulnerabilities catalog, citing active attacks in the wild.
2 weeks ago
References
EPSS Score
63% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
- 📰
First article discovered by The Hacker News
- 🟡
Public PoC available
Vulnerability published
Vulnerability Reserved