CVE-2025-34028: 
Commvault vulnerability analysis and mitigation

A critical path traversal vulnerability (CVE-2025-34028) was discovered in Commvault Command Center Innovation Release, affecting versions 11.38.0 through 11.38.19 on both Windows and Linux platforms. The vulnerability, discovered by watchTowr researcher Sonny Macdonald and disclosed on April 7, 2025, allows an unauthenticated attacker to upload ZIP files that can lead to Remote Code Execution when expanded by the target server (Commvault Advisory, Help Net Security).

The vulnerability exists in the deployWebpackage.do endpoint, which enables a pre-authenticated Server-Side Request Forgery (SSRF) due to insufficient host filtering. The vulnerability chain involves forcing vulnerable Commvault instances to fetch a malicious ZIP file from an externally controlled server, which is then unzipped to a .tmp directory controlled by the attacker. The vulnerability received a CVSS v3.1 score of 10.0 (CRITICAL) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H (WatchTowr Labs).

The vulnerability allows unauthenticated attackers to achieve remote code execution on affected Commvault Command Center instances, potentially leading to a complete compromise of the Command Center environment. The vulnerability specifically impacts the Innovation Release version of the software, which maintains cutting-edge features of the Commvault solution (Commvault Advisory, Help Net Security).

Commvault has addressed the vulnerability in versions 11.38.20 and 11.38.25, released on April 10, 2025. For organizations unable to update immediately, Commvault recommends isolating the Command Center installation from external network access. Innovation releases are automatically managed according to predefined schedules, requiring no manual intervention. For Commvault SaaS customers, all necessary patches are automatically deployed by Commvault with no customer action required (Commvault Advisory).