CVE-2025-34136: 
Commvault vulnerability analysis and mitigation

An SQL injection vulnerability exists in Commvault Web Server component affecting versions 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19. The vulnerability was discovered on April 14, 2025, and publicly disclosed on July 25, 2025. This security flaw specifically impacts systems where the CommServe and Web Server roles are installed, while other Commvault components deployed in the same environment remain unaffected (Commvault Advisory, VulnCheck).

The vulnerability is classified as a SQL injection flaw that allows remote attackers to perform SQL injection attacks without requiring authentication. The severity is rated as MEDIUM with a CVSS v4.0 base score of 6.9, and vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N. The vulnerability specifically affects the Web Server component when installed alongside CommServe (VulnCheck, Commvault Advisory).

The vulnerability allows unauthenticated remote attackers to perform SQL injection attacks against the affected systems. This could potentially lead to unauthorized access to the database, data manipulation, and exposure of sensitive information stored within the CommServe and Web Server components (Commvault Advisory).

Commvault has released patched versions to address this vulnerability. Users should upgrade to version 11.32.94 for the 11.32.x branch, 11.36.52 for the 11.36.x branch, or 11.38.20 for the 11.38.x branch. If immediate patching is not feasible, it is recommended to isolate the Command Center and Web Server installation from external network access (Commvault Advisory).