CVE-2025-34028 impacts Commvault Command Center

CVE-2025-34028 is a critical path traversal vulnerability affecting the Commvault Command Center Innovation Release. This flaw allows unauthenticated remote attackers to upload malicious ZIP files, which, when extracted by the server, result in remote code execution (RCE).

1. Vulnerability Overview

Description

The vulnerability exists in the deployWebpackage.do endpoint of Commvault Command Center. Attackers can exploit this endpoint to upload ZIP files containing malicious payloads. When the server processes these files, it inadvertently executes the embedded code, granting attackers unauthorized access and control over the system.

Severity

• CVSS Score: 9.0 (Critical).
• Attack Vector: Network (AV:N).
• Attack Complexity: Low (AC:L).
• Privileges Required: None (PR:N).
• User Interaction: None (UI:N).

2. Affected Versions

The vulnerability impacts the following versions of Commvault Command Center Innovation Release:

• 11.38.0 through 11.38.19.

3. Exploitation Details

How It Works

The exploitation process involves the following steps:

1. ZIP File Upload:

• Attackers send a crafted HTTP request to the vulnerable endpoint (deployWebpackage.do), instructing the server to retrieve a malicious ZIP file from an external server.

1. Path Traversal:

• The ZIP file is extracted into a temporary directory under the attacker’s control. Using the servicePack parameter, attackers manipulate the extraction path to traverse into sensitive directories (e.g., ../../Reports/MetricsUpload/shell).

1. Remote Code Execution:

• The malicious payload (e.g., .JSP shell) is executed, granting attackers full control over the server.

Proof-of-Concept (PoC) Exploit

A PoC exploit has been publicly released, demonstrating how attackers can achieve pre-authenticated RCE using this vulnerability. The exploit leverages Server-Side Request Forgery (SSRF) to escalate the attack.

4. Impact

Potential Risks

• Complete System Compromise:
• Attackers can execute arbitrary code, modify configurations, and install malware.
• Data Breach:
• Sensitive information stored on the server may be exposed.
• Operational Disruption:
• Exploited systems may experience downtime or service interruptions.

5. Mitigation Strategies

A. Apply Security Updates

Commvault has released patches to address CVE-2025-34028. Users should update to the following versions:

• 11.38.20 or later.
• 11.38.25 is recommended for enhanced security.

B. Restrict Access

• Limit access to the Command Center’s management interface to trusted IP addresses.
• Use firewall rules to block unauthorized connections.

C. Monitor for Exploitation

• Audit server logs for unusual activity, such as unauthorized ZIP file uploads or directory traversal attempts.
• Deploy Intrusion Detection Systems (IDS) to flag suspicious HTTP requests targeting the vulnerable endpoint.

D. Strengthen Network Security

• Enforce multi-factor authentication (MFA) for administrative accounts.
• Use VPNs to secure remote access to the Command Center.

6. Conclusion

CVE-2025-34028 is a critical vulnerability that underscores the importance of securing endpoints and monitoring server activity. Organizations using Commvault Command Center must act swiftly to patch affected systems and implement robust access controls to mitigate risks.