CVSS Score: 9.0 (Critical)
Identifier: CVE-2025-34028
Exploit or Proof of Concept (PoC): Yes – https://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028
Update: CVE-2025-34028 – Commvault Security Advisory
Description: CVE-2025-34028 is a critical remote code execution vulnerability in Commvault Command Center versions 11.38.0 through 11.38.19. The flaw is caused by improper input validation in the 'deployWebpackage.do' endpoint, which allows an unauthenticated attacker to exploit a path traversal vulnerability. By uploading a specially crafted ZIP file containing a malicious .jsp file, attackers can execute arbitrary code on the server and potentially gain full control of the system.
Mitigation Recommendation: Commvault has resolved this issue in version 11.38.20 and later. Administrators are strongly advised to update affected installations immediately. For environments where patching is not immediately feasible, Commvault recommends isolating the Command Center from external network access.
Note: Given the critical severity and confirmed exploitation, immediate action is necessary to secure exposed Commvault environments. Regular patching and review of external exposure are essential to maintaining secure infrastructure.