Organizations utilizing Commvault Innovation Release are strongly advised to apply the latest patch to safeguard against CVE-2025-34028. This critical vulnerability permits remote code execution, granting attackers full system control.

Understanding the Commvault Security Flaw

A significant security flaw has been identified in the Commvault Command Center, a popular enterprise solution for data management and backup. The vulnerability, known as CVE-2025-34028, has been given a critical severity rating of 9.0 out of 10. This flaw allows remote attackers to execute arbitrary code on affected Commvault systems without authentication.

Technical Details of the Vulnerability

The vulnerability was discovered by Sonny Macdonald from watchTowr Labs and reported on April 7, 2025. It resides in the “deployWebpackage.do” component of the web interface, which is vulnerable to a pre-authenticated Server-Side Request Forgery (SSRF) attack. The flaw arises from inadequate validation of external servers that the Commvault system can interact with.

  • SSRF Attack: The vulnerability allows attackers to exploit the system by sending crafted requests to external servers.
  • Code Execution: Attackers can further exploit the flaw by uploading a malicious ZIP archive containing a “.JSP” file, which the Commvault server retrieves and extracts to a directory under the attacker's control.

Exploitation Process

The exploitation process involves manipulating the “servicePack” parameter to scan directories and move the malicious “.JSP” file to a publicly accessible location. By re-triggering the SSRF vulnerability, attackers can execute the “.JSP” file, achieving remote code execution on the Commvault system.

Bypassing Security Measures

The ZIP file is processed through a “multipart request,” allowing attackers to bypass typical security measures that might block standard web requests. This method increases the risk of successful exploitation.

Response and Mitigation

WatchTowr Labs promptly reported the issue to Commvault, which released a patch on April 10, 2025. The vulnerability was publicly disclosed on April 17, 2025. Commvault confirmed that the flaw affects the “Innovation Release” versions 11.38.0 to 11.38.19 on Linux and Windows. Updating to versions 11.38.20 or 11.38.25 resolves the issue.

  • Patch Release: Commvault issued a patch to address the vulnerability.
  • Detection Tool: watchTowr Labs developed a “Detection Artefact Generator” to help administrators identify vulnerable systems.
The link has been copied!