A critical security vulnerability has been discovered in the Commvault Command Center, that could enable malicious actors to remotely to execute arbitrary code without authentication,” Commvault said in an advisory.
“This vulnerability could lead to a complete compromise of the Command Center environment. Fortunately, other installations within the same system are not affected by this vulnerability,” the advisory added.
The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 10.0 – the highest possible.
A researcher from watchTowr Labs, Sonny Macdonald, is credited with discovering and reporting the flaw on 7 April. He said it could be exploited to achieve pre-authenticated remote code execution.
Specifically, the issue is rooted in an endpoint called deployWebpackage.do, which triggers a pre-authenticated Server-Side Request Forgery (SSRF) because there is no filtering as to what hosts can be communicated with.
The flaw could then be escalated to achieve code execution by leveraging a ZIP archive file that contains a malicious .JSP file.
The sequence of events is as follows:
- Send an HTTP request to /commandcenter/deployWebpackage.do, causing the Commvault instance to retrieve a ZIP file from an external server
- Contents of the ZIP file get unzipped into a .tmp directory under the attacker’s control
- Use the servicePack parameter to traverse the .tmp directory into a pre-authenticated facing directory on the server, such as ../../Reports/MetricsUpload/shell
- Execute the SSRF via /commandcenter/deployWebpackage.do
- Execute the shell from /reports/MetricsUpload/shell/.tmp/dist-cc/dist-cc/shell.jsp
Macdonald explained the process in a report published today, and released a proof-of-concept (PoC) exploit that can be used to check whether a Commvault Command Center instance is vulnerable.
Commvault said the vulnerability impacts only the 11.38 Innovation Release and has been resolved in the following Innovation Update releases. No other versions were affected.
- 11.38.20, which includes the fix as of 10 April 2025
- 11.38.25, which includes the fix as of 10 April 2025
Innovation releases are managed automatically according to predefined schedules, so no manual intervention is needed, Commvault added. “If installing the update is not feasible, then isolate the Command Center installation from external network access.”
Technically Serious, Operationally Significant
Heath Renfrow, CISO and Co-founder at Fenix24 says the vulnerability is both technically serious and operationally significant for businesses that rely on Commvault for backup and recovery. He says there are three reasons for this. Firstly, the flaw can be triggered before any authentication is required, meaning a bad actor doesn’t need valid credentials to initiate the exploit—removing one of the primary barriers to entry.
Also, the chained attack method, from Server-Side Request Forgery to ZIP-based file deployment, enables full remote code execution. “This effectively hands over server control to an external attacker, potentially allowing them to access or manipulate sensitive backup data or pivot deeper into the environment.”
A Potential Multi-Vector Crisis
Finally, Renfrow says Commvault is often deployed in environments that manage critical infrastructure and disaster recovery. “A compromise here could impact not just data integrity but also a company’s ability to recover from ransomware or system failure, turning a single flaw into a multi-vector crisis.”
Renfrow says several actions should be taken immediately. Apply the patches issued by Commvault as soon as possible and temporarily restrict internet access to the Command Center interface via firewall rules or access controls until the patch has been applied and verified. Also, look for abnormal outbound requests to unknown ZIP sources, file writes in temp directories, or unauthorized access to the /reports/MetricsUpload path. Finally, ensure application isolation, segmentation of management interfaces, and logging of all Command Center interactions.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.