The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security flaw affecting Commvault Command Center to its Known Exploited Vulnerabilities catalog. This vulnerability, identified as CVE-2025-34028 with a CVSS score of 10.0, is a path traversal bug that impacts versions 11.38.0 through 11.38.19 of the software. The issue allows remote, unauthenticated attackers to execute arbitrary code on affected systems.
CISA highlighted that the vulnerability in Commvault Command Center could be exploited by uploading ZIP files that, when decompressed on the target server, could lead to remote code execution. The flaw was discovered and reported by cybersecurity firm watchTowr Labs, who identified the problem in an endpoint called “deployWebpackage.do,” triggering a pre-authenticated Server-Side Request Forgery (SSRF) that enables code execution with a malicious .JSP file in a ZIP archive.
This isn’t the first time Commvault software has been targeted by cyber attackers. Another vulnerability, CVE-2025-3928, was previously exploited in real-world attacks, allowing remote, authenticated attackers to create and execute web shells. While there has been no unauthorized access to customer backup data, the recent exploitation activity of CVE-2025-34028 has raised concerns.
In response to the active exploitation of the vulnerability, Federal Civilian Executive Branch (FCEB) agencies have been instructed to apply necessary patches by May 23, 2025, to secure their networks. It is crucial for organizations using Commvault Command Center to take immediate action to mitigate the risk of potential cyber threats and safeguard their systems from malicious actors.
Source link