Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed. The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions
Analysis Summary
# Vulnerability: Critical Path Traversal Leading to RCE in Commvault Command Center
## CVE Details
- CVE ID: CVE-2025-34028
- CVSS Score: 10.0 (Critical)
- CWE: Path Traversal (Implied by description)
## Affected Systems
- Products: Commvault Command Center
- Versions: Innovation Release 11.38, specifically versions 11.38.0 through 11.38.19.
- Configurations: Any system running the affected versions of Commvault Command Center.
## Vulnerability Description
CVE-2025-34028 is a critical path traversal vulnerability within the Commvault Command Center. The flaw exists in the endpoint named "deployWebpackage.do". This vulnerability allows a remote, unauthenticated attacker to leverage a pre-authenticated Server-Side Request Forgery (SSRF) condition. By uploading specially crafted ZIP files containing a malicious `.JSP` file, the attacker can cause the server to decompress and potentially execute arbitrary code remotely.
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV catalog)
- Complexity: Low (Pre-authenticated and leads directly to code execution)
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High (Arbitrary code execution)
- Availability: High
## Remediation
### Patches
- **Commvault Version 11.38.20**
- **Commvault Version 11.38.25**
### Workarounds
No specific workarounds were detailed in the description, but given the active exploitation and critical nature, immediate patching is required.
## Detection
- **Indicators of Compromise:** Look for indicators related to suspicious file uploads or execution of `.JSP` files via the "deployWebpackage.do" endpoint.
- **Detection Methods and Tools:** Monitor network traffic and server logs for activity targeting the specified endpoint, especially unauthorized file/ZIP uploads.
## References
- CISA Adds Two Known Exploited Vulnerabilities to Catalog (CISA Advisory): hxxps://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
- Original Disclosure (watchTowr Labs): hxxps://thehackernews.com/2025/04/critical-commvault-command-center-flaw.html
- Related Exploited Flaw (CVE-2025-3928): hxxps://thehackernews.com/2025/05/commvault-confirms-hackers-exploited.html