The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability affecting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog. This marks a little over a week since the flaw was publicly disclosed.
The vulnerability, CVE-2025-34028 (CVSS score: 10.0), is a path traversal flaw that affects Commvault Command Center versions 11.38.0 through 11.38.19, which has been patched in versions 11.38.20 and 11.38.25. This flaw allows an unauthenticated remote attacker to upload ZIP files containing a malicious .JSP file, leading to remote code execution (RCE) when the ZIP file is decompressed on the targeted server.
How the Vulnerability Works
According to watchTowr Labs, the company credited with discovering and reporting the vulnerability, the issue arises from an endpoint called deployWebpackage.do. This endpoint triggers a pre-authenticated Server-Side Request Forgery (SSRF), which, when paired with the malicious ZIP file, results in code execution. While it remains unclear how the vulnerability is being exploited, this is the second Commvault flaw to be weaponized in real-world attacks. The first was CVE-2025-3928, a web server flaw allowing attackers to create and execute web shells remotely.
The active exploitation of this vulnerability prompted CISA to take swift action and place it in the KEV catalog. CISA has also mandated that Federal Civilian Executive Branch (FCEB) agencies apply the required patches by May 23, 2025, to secure their networks.
No Customer Backup Data Breached Yet
While the CVE-2025-34028 vulnerability has been exploited in the wild, Commvault has confirmed that the breach has only affected a small number of customers. Importantly, the company assured there has been no unauthorized access to customer backup data.
Given the severity of the vulnerability, CISA is urging all government agencies and organizations using Commvault Command Center to update their systems immediately to the patched versions. The vulnerability, if left unpatched, could have severe implications, including remote code execution on affected devices.
