A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-34028, has been disclosed in Commvault Command Center Innovation Release. The flaw, rated with a CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary code via a path traversal vulnerability during ZIP file extraction. This affects versions 11.38 of the software, posing significant risks to enterprises using the platform for data management and backup operations.
Summary for CISOs
The vulnerability enables attackers to upload malicious ZIP files that, when processed by the server, traverse directories and deploy payloads for RCE. This bypasses authentication and could lead to full system compromise. Immediate action is required to mitigate risks, including network isolation or patching to version 11.38.20/11.38.25, released on April 10, 20251.
- CVSS Score: 10.0 (Critical)
- Affected Versions: Command Center Innovation Release 11.38.0–11.38.19
- Fix: Upgrade to 11.38.20/11.38.25
- Workaround: Restrict network access to Command Center
Technical Analysis
The vulnerability stems from improper validation of ZIP file paths during extraction. An attacker can craft a malicious archive with directory traversal sequences (e.g., ../../malicious.sh) to write files outside the intended directory. When the server processes this archive, the embedded payload executes in the context of the Commvault service account, typically with elevated privileges2.
Commvault’s advisory confirms the flaw is exploitable without authentication, requiring only network access to the Command Center interface. This contrasts with earlier vulnerabilities like CV_2025_03_1, which required authenticated access for webshell deployment3.
Mitigation and Relevance
Organizations should prioritize patching due to the exploit’s low complexity and high impact. For environments where immediate patching is impractical, the following measures are recommended:
| Action | Details |
|---|---|
| Network Segmentation | Isolate Command Center instances from untrusted networks |
| Log Monitoring | Audit logs for unusual ZIP file processing or directory traversal attempts |
| Input Validation | Implement temporary filters to block ZIP files with traversal sequences |
This vulnerability is particularly relevant for security teams managing enterprise backup systems, as compromised Commvault servers could enable lateral movement to critical data stores.
Conclusion
CVE-2025-34028 represents a severe threat to organizations using vulnerable Commvault versions. Historical parallels like ProxyShell (2021) demonstrate how unpatched vulnerabilities in enterprise software can lead to widespread breaches4. Proactive patching and network controls are essential to mitigate risks.
References
- Commvault Advisory CV_2025_04_1, April 2025.
- GBHackers: Commvault Webserver Flaw Analysis, April 2025.
- Commvault Advisory CV_2025_03_1, March 2025.
- ProxyShell Exploit Details, 2021.
