CVE-2025-34028
Confirmed PUBLISHEDCommvault Command Center Innovation Release <= 11.38.25 Unathenticated Install Package Path Traversal
393 days faster than CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.
- CVE Published
- Apr 22, 2025
- Exploitation Reported
- May 02, 2025
- CVSS
- 9.3 Critical
- EPSS
- 97.3%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Commvault |
Command Center Innovation Release
|
11.38.0 to <= 11.38.25 |
Affected |
CVE References
- Vendor Advisory — documentation.commvault.com documentation.commvault.com · Vendor Advisory https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html
- Third-Party Advisory — vulncheck.com vulncheck.com · Third-Party Advisory https://www.vulncheck.com/advisories/commvault-command-center-innovat...
- Exploit — labs.watchtowr.com labs.watchtowr.com · Exploit https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-...
- GitHub — watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028 github.com · Exploit https://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-C...
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| All CISA Advisories First | 2025-05-05 08:35 UTC |
| CISA | 2026-06-02 14:08 UTC |
| The Shadowserver | 2026-07-06 00:00 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-34028.yaml | May 16, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2025-05-02 00:00:00 UTC · CISA
Proof of concept available
Recorded 2025-04-17 08:16:58 UTC · GitHub
Weaknesses (CWE)
-
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
-
Missing Authentication for Critical Function
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-34028.yaml | May 16, 2025 |
Recent Mentions
TheHackerNews · May 05, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed. The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions
All CISA Advisories · May 02, 2025
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Watchtower Labs · Apr 24, 2025
As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will.No heist story
TheHackerNews · Apr 24, 2025
A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations. The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0. "A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2025-04-17 08:16:58 UTC · 10 stars
nuclei · Created Unknown
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
00:00 UTC 14 days ago00:00 UTC · 14 days ago
KEV confirmed by The Shadowserver
Exploitation attested by an external source
-
14:08 UTC about 2 months ago14:08 UTC · about 2 months ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
08:44 UTC about 1 year ago08:44 UTC · about 1 year ago
Nuclei template available
Scanner coverage available
-
08:35 UTC about 1 year ago08:35 UTC · about 1 year ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
16:32 UTC about 1 year ago16:32 UTC · about 1 year ago
CVE published
Vulnerability disclosed publicly
-
08:16 UTC over 1 year ago08:16 UTC · over 1 year ago
Public PoC available
Public proof-of-concept code published
-
19:15 UTC over 1 year ago19:15 UTC · over 1 year ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2025-34028
{
"cve_id": "CVE-2025-34028",
"title": "Commvault Command Center Innovation Release <= 11.38.25 Unathenticated Instal...",
"affected_vendor": "Commvault",
"affected_product": "Command Center Innovation Release",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.3,
"epss_score": 0.97292,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}