Critical Vulnerability in Commvault Command Center Demands Immediate Action from Enterprises
Enterprises utilizing the Commvault Innovation Release are facing urgent security concerns due to a recently identified critical vulnerability, tagged as CVE-2025-34028. This severe flaw poses significant risks by allowing attackers to execute remote code, potentially granting them full control over affected systems. Organizations are strongly urged to implement immediate patches to mitigate this threat.
This alarming vulnerability was uncovered in the Commvault Command Center, which serves as a critical backup and data management solution for numerous enterprises. Rated with a critical severity score of 9.0 out of 10, this flaw could enable remote attackers to run arbitrary code on vulnerable installations without needing any authentication. This vulnerability has raised significant alarm bells within the cybersecurity community due to its potential impact on sensitive data and operational integrity.
The critical flaw was identified and reported on April 7, 2025, by Sonny Macdonald, a researcher from watchTowr Labs. Through rigorous analysis, it was established that the vulnerability is rooted in a specific web interface component coded as “deployWebpackage.do.” This endpoint is highly susceptible to a pre-authenticated Server-Side Request Forgery (SSRF) attack, primarily attributed to inadequate validation procedures concerning external servers interacting with the Commvault system.
In response to the findings, Commvault issued a security advisory on April 17, 2025, acknowledging this significant threat. The advisory highlighted that the identified flaw could lead to a total compromise of the Command Center environment, thereby endangering sensitive corporate data and potentially disrupting essential operational processes. The ramifications of such a breach could prove catastrophic for businesses that rely on Commvault for data protection.
The SSRF vulnerability serves as the initial gateway for attackers, who can exploit it to further their incursions. Research indicates that attackers might utilize a specially crafted ZIP file containing a malicious JavaServer Pages (JSP) file. By deceiving the Commvault server into retrieving this ZIP from an attacker-controlled server, they can extract its contents to a temporary directory accessible to the attacker.
Through careful manipulation of the “servicePack” parameter during subsequent requests, attackers can navigate the system’s directories to position their malicious JSP file into a publicly accessible location, specifically under “../../Reports/MetricsUpload/shell.” By exploiting the SSRF vulnerability once more, attackers can execute their JSP file from this accessible directory, thereby executing arbitrary code within the Commvault system.
Importantly, the process by which the ZIP file is read diverges from standard procedures; it is accessed through a “multipart request” before the vulnerable portion of the software processes it. This method allows attackers to potentially bypass existing security measures that would typically block standard web requests.
Following the responsible disclosure of this security flaw, watchTowr Labs reported the issue to Commvault, which quickly took strides to address it through a patch. The fix was introduced on April 10, 2025, and the issue was subsequently made public on April 17, 2025. Commvault confirmed that the flaw specifically impacted versions 11.38.0 to 11.38.19 of the Innovation Release software for both Linux and Windows operating environments. To effectively resolve the issue, users are advised to upgrade to either version 11.38.20 or 11.38.25.
To assist enterprises in identifying systems vulnerable to CVE-2025-34028, watchTowr Labs developed a "Detection Artefact Generator," which can be beneficial for IT administrators seeking to assess their environments.
The emergence of this vulnerability underscores a worrying trend in the cybersecurity landscape: backup systems are increasingly becoming prime targets for cybercriminals. These vital systems are essential for restoring operational functionality following an attack, and their compromise can lead to severe consequences. Often, backup systems house sensitive credentials for important corporate components, amplifying the stakes associated with such vulnerabilities.
Agnidipta Sarkar, VP CISO Advisory at ColorTokens, has commented on the gravity of this situation, noting that the CVSS score of 10 associated with this flaw represents a critical risk of unauthenticated remote code execution. He emphasized that immediate and sustained remedial action is crucial. In situations where complete network shutdown may not be practical, deploying tools like Xshield Gatekeeper can provide swift isolation of critical systems to mitigate potential threats.
The urgency surrounding the CVE-2025-34028 vulnerability signifies an imperative for enterprises to prioritize security patching and reinforce their data backup practices. Failure to act could leave organizations vulnerable to severe ransomware attacks and data loss, highlighting that the significance of robust security measures can no longer be underscored.