The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated the urgency around a critical vulnerability in Commvault Command Center, designated as CVE-2025-34028 (CVSS score: 10.0). The flaw, a path traversal issue leading to remote code execution (RCE), was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 2, 2025, following confirmed active exploitation1. Federal agencies are required to patch the vulnerability by May 23, 2025, under Binding Operational Directive (BOD) 22-012.
Technical Breakdown of CVE-2025-34028
The vulnerability affects Commvault Command Center Innovation Release versions 11.38.0 through 11.38.19. Attackers exploit it by uploading malicious ZIP files to the deployWebpackage.do endpoint, which triggers server-side request forgery (SSRF) and RCE during decompression3. Unauthenticated access lowers the barrier for exploitation, making it a high-priority threat. A simplified proof-of-concept (PoC) demonstrates the attack flow:
import requests
target = "http://target/deployWebpackage.do"
requests.post(target, files={"file": ("exploit.zip", malicious_zip)})
This aligns with findings from WatchTowr Labs, which highlight the chaining potential of similar vulnerabilities4.
Broader Threat Context
CVE-2025-34028 is not isolated. A related flaw, CVE-2025-3928 (CVSS 8.7), was added to the KEV catalog on April 28, 2025, after being linked to webshell deployments in Commvault’s Azure environment5. Both vulnerabilities are under active exploitation by ransomware groups and nation-state actors targeting backup systems6.
| CVE | Type | Affected Versions | Patch Deadline |
|---|---|---|---|
| CVE-2025-34028 | Path Traversal → RCE | 11.38.0–11.38.19 | May 23, 2025 |
| CVE-2025-3928 | Webshell Deployment | Patched in 11.36.46, 11.32.89 | April 28, 2025 |
Mitigation and Relevance
Organizations using Commvault should immediately apply patches from the vendor’s security advisory7. Key steps include:
- Restricting access to exposed interfaces.
- Monitoring for anomalous file uploads or SSRF attempts.
- Validating backups to ensure they are free from compromise.
The vulnerability’s impact extends beyond federal systems, as backup solutions are often high-value targets for data exfiltration and ransomware attacks8.
Conclusion
CVE-2025-34028 underscores the criticality of timely patch management, especially for vulnerabilities with public exploits. CISA’s KEV catalog serves as a definitive guide for prioritizing remediation efforts. Future updates may reveal additional exploitation vectors, warranting continuous monitoring.
References
- “Commvault CVE-2025-34028 Added to CISA KEV After Active Exploitation Confirmed,” The Hacker News, May 2025.
- CISA Known Exploited Vulnerabilities Catalog, updated May 2025.
- “Critical Commvault Vulnerability (CVE-2025-34028): A Zero-Click Nightmare,” Medium, May 2025.
- WatchTowr Labs SonicWall Exploit Chain Analysis, April 2025.
- “CISA Adds Broadcom, Commvault Vulnerabilities to KEV Catalog Amid Confirmed Exploitation,” LinkedIn, April 2025.
- “Commvault’s Azure Breach: A Zero-Day Tale of Webshells and Nation-State Hackers,” Medium, April 2025.
- Commvault Security Advisory CV_2025_04_1, May 2025.
- HHS Alert on Backup System Risks, May 2025.
