The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Commvault’s Command Center to its Known Exploited Vulnerabilities (KEV) catalog, following confirmed reports of active exploitation.
Vulnerability Details
The flaw, identified as CVE-2025-34028, is a path traversal vulnerability with a maximum CVSS score of 10.0. It affects Commvault’s Command Center versions 11.38.0 through 11.38.19. The vulnerability allows unauthenticated remote attackers to upload specially crafted ZIP files, which, when decompressed by the server, can lead to remote code execution.
Cybersecurity firm watchTowr Labs discovered the issue, pinpointing the “deployWebpackage.do” endpoint as the source. This endpoint can be exploited to trigger a pre-authenticated Server-Side Request Forgery (SSRF), resulting in code execution when a malicious .JSP file is included in the ZIP archive.
Commvault has addressed the vulnerability in versions 11.38.20 and 11.38.25. Users are urged to update to these versions promptly.
CISA’s Response and Recommendations
In light of the active exploitation, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by May 23, 2025. The agency also advises all organizations using affected versions to follow vendor instructions, apply mitigations, or discontinue use if patches are unavailable.
Impact and Mitigation
Commvault reported that a small number of customers have been affected, but there has been no unauthorized access to backup data. For those unable to update immediately, isolating the Command Center from external network access is recommended.
This incident marks the second time a Commvault vulnerability has been exploited in real-world attacks, following CVE-2025-3928, which allowed remote, authenticated attackers to create and execute web shells.
Organizations are encouraged to review their systems for potential exposure and take immediate action to mitigate risks associated with this vulnerability.