A critical vulnerability has been uncovered in the Commvault Command Center, potentially allowing attackers to execute arbitrary code remotely without authentication.
Tracked as CVE-2025-34028, the flaw has been assigned a CVSS score of 9.0, indicating a severe risk.
Commvault disclosed the issue on April 17, 2025, warning that the flaw could result in a complete system compromise.
The vulnerability affects versions 11.38.0 through 11.38.19 of the 11.38 Innovation Release and has been resolved in subsequent updates.
The issue enables pre-authenticated remote code execution, making it particularly dangerous for internet-exposed systems.
At the root of the issue is an endpoint named “deploy-Web-package.do”, which lacks adequate host filtering. This opens the door to a Server-Side Request Forgery attack, where an attacker can force the application to interact with arbitrary servers.
Exploitation involves tricking the system into downloading a ZIP archive containing a malicious .JSP file, which then gets unzipped into a temporary directory.
This file can then be executed, leading to full code execution on the target environment.
To assist with detection, watchTowr has released a Detection Artefact Generator, allowing organizations to check if their systems are vulnerable.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
