Update now before criminals seize their opportunity.
The security team of the corporate backup platform Commvault has warned about a critical vulnerability in the Command Center management interface, which allows remote attackers to execute arbitrary code without prior authentication. The issue, identified as CVE-2025-34028, has received a perfect 10 out of 10 score on the CVSS scale, making it one of the most dangerous vulnerabilities discovered recently.
The vulnerability affects the Commvault 11.38 Innovation Release, spanning versions 11.38.0 to 11.38.19. Developers have released patches to address the issue in versions 11.38.20 and 11.38.25. The bug was discovered by researcher Sonny MacDonald from watchTowr Labs, who reported it on April 7, 2025.
The core problem lies in the processing of requests to the internal resource deployWebpackage.do, which does not filter the addresses of destination nodes. This allows for a Server-Side Request Forgery (SSRF) attack without needing to log in. The vulnerable mechanism lacks restrictions on connections to external hosts, which creates a risk of downloading malicious archives.
An attacker can send a specially crafted HTTP request that triggers the download of a ZIP archive from an external server. The archive's contents are unpacked into a temporary directory, and then, using the servicePack parameter, the attacker moves the files to a vulnerable directory on the server. The final step involves calling a malicious .jsp script located in a pre-defined path, which grants the attacker full control over the system.
To help organizations detect exploitation traces, watchTowr has released a special artifact generator that organizations can use to check their installations for signs of attack. This approach can help respond promptly to incidents and minimize damage.
Given the recent attacks on similar solutions, including backup software Veeam and NAKIVO, experts emphasize the urgent need to update vulnerable Commvault instances. Such systems typically contain sensitive information and serve as access points to critical infrastructure, making them a high-priority target for attackers.