The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed.
The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions 11.38.0 through 11.38.19. It has been addressed in versions 11.38.20 and 11.38.25.
"Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code," CISA said.
The flaw essentially permits an attacker to upload ZIP files that, when decompressed on the target server, could result in remote code execution.
Cybersecurity company watchTowr Labs, which was credited with discovering and reporting the bug, said the problem resides in an endpoint called "deployWebpackage.do" that triggers a pre-authenticated Server-Side Request Forgery (SSRF), ultimately resulting in code execution when using a ZIP archive file containing a malicious .JSP file.
It's currently not known in what context the vulnerability is being exploited, but the development makes it the second Commvault flaw to be weaponized in real-world attacks after CVE-2025-3928 (CVSS score: 8.7), an unspecified issue in the Commvault Web Server that allows a remote, authenticated attacker to create and execute web shells.
The company revealed last week that the exploitation activity affected a small number of customers but noted that there has been no unauthorized access to customer backup data.
In light of active exploitation of CVE-2025-34028, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by May 23, 2025, to secure their networks.
Update
Commvault, in an update to its advisory on May 6, 2025, said the vulnerability can be remediated by installing versions 11.38.20 or 11.38.25 alongside supplemental updates -
- 11.38.20, with the additional updates: SP38-CU20-433 and SP38-CU20-436
- 11.38.25, with the additional updates: SP38-CU25-434 and SP38-CU25-438
Security researcher Will Dormann, who found that deploying just 11.38.20 or 11.38.25 does not fix the flaw, said "I cannot think of a behavior that is more vindictive to their customers to botch language in an advisory so bad, and also to not bother bumping release versions for the fixes for a CVSS 10 EITW vulnerability."
In a follow-up post on Mastodon, Dormann explained the issue further: "The 11.38 version of Commvault is what's referred to as the 'Innovation Release' of the software, where the expectation is that 'Pioneer customers' register with Commvault and are specifically approved to even see updates that are available."
"The problem with this: Customers who fire up a Commvault 11.38 VM through Azure or the like did not [go] through the front door of registering with Commvault. As such, they would NOT SEE UPDATES AVAILABLE. This was ... not ideal."
The security researcher also noted that Commvault changed the backend to provide the "Additional updates" that fix CVE-2025-34028 for those who use Azure or AWS via a manual download process.
