Back to KEVs

CVE-2025-34028

Commvault Command Center Innovation Release Unathenticated Install Package Path Traversal

Basic Information

CVE State
PUBLISHED
Reserved Date
April 15, 2025
Published Date
April 22, 2025
Last Updated
July 30, 2025
Vendor
Commvault
Product
Command Center Innovation Release
Description
The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.
Tags
cisa nuclei_scanner

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

EPSS Score

Score
65.37% (Percentile: 98.36%) as of 2025-05-30

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-05-02 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2025-05-06 16:44:41 UTC) Source

References

https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/ https://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028

Known Exploited Vulnerability Information

Source Added Date
CISA 2025-05-02 00:00:00 UTC

Recent Mentions

Update – Since our last security bulletin, Commvault has clarified that being on versions 11.38.20 or 11.38.25 alone is not sufficient—particular updates within those versions must be installed to fully apply the fix for CVE-2025-34028. This update was made on May 7, 2025. Additionally, the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog ... Follow-Up: Commvault Updates Advisory With Fixed Versions for Critical Commvault Command Center Vulnerability (CVE-2025-34028)

Researcher Says Patched Commvault Bug Still Exploitable

Source: Dark Reading • Published: 2025-05-06 21:24:58 UTC

CISA added CVE-2025-34028 to its catalog of known exploited vulnerabilities, citing active attacks in the wild.

Commvault CVE-2025-34028 Added to CISA KEV After Active Exploitation Confirmed

Source: TheHackerNews • Published: 2025-05-05 16:01:00 UTC

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed. The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions

CISA Adds Two Known Exploited Vulnerabilities to Catalog

Source: All CISA Advisories • Published: 2025-05-02 12:00:00 UTC

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will.No heist story

Critical Commvault Command Center Flaw Enables Attackers to Execute Code Remotely

Source: TheHackerNews • Published: 2025-04-24 10:00:00 UTC

A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations. The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0. "A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-34028.yaml 2025-04-27 16:00:22 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Mattb709/CVE-2025-34028-PoC-Commvault-RCE

Type: github • Created: 2025-05-06 16:44:41 UTC • Stars: 1

Proof-of-Concept (PoC) for CVE-2025-34028, a Remote Code Execution vulnerability in Commvault Command Center. This Python script scans single or multiple targets, executes commands, and reports vulnerable hosts.

becrevex/Commvault-CVE-2025-34028

Type: github • Created: 2025-05-06 06:16:13 UTC • Stars: 0

Commvault Remote Code Execution (CVE-2025-34028) NSE

watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028

Type: github • Created: 2025-04-17 08:16:58 UTC • Stars: 10

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel

  • Proof of Concept Exploit Available