Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028)

If your organization is using Commvault Command Center for your data protection, backup creation, configuration and restoration needs, you should check whether your on-premise installation has been upgraded to patch a critical vulnerability (CVE-2025-34028) that could allow unauthenticated remote code execution.

About CVE-2025-34028

CVE-2025-34028 is a path traversal vulnerability affecting Commvault Command Center (Innovation Release) versions from 11.38.0 to 11.38.19, on Windows and Linux.

It was unearthed by watchTowr researcher Sonny Macdonald, who discovered an endpoint that can be reached without prior authentication, and a server-side request forgery (SSRF) vulnerability and path traversal issues that can be exploited to:

• Force the vulnerable Commvault instances to fetch a malicious ZIP file from an externally controlled server
• Unzip the file, execute and trigger the shell within it, thus achieving remote code execution

Macdonald has explained the whole process in a blog post published on Thursday, and released a proof-of-concept (PoC) exploit that can be used to check whether a Commvault Command Center instance is vulnerable.

What to do?

According to Commvault, CVE-2025-34028 does not impact the Long-Term Support Commvault Platform Releases, but just the 11.38 Innovation Release. It has been fixed earlier this month in versions 11.38.20 and 11.38.25.

“Innovation releases are automatically managed according to predefined schedules, so manual intervention is not required,” the company said in the accompanying security advisory.

“If installing the update is not feasible, then isolate the Command Center installation from external network access.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!