Critical vulnerability reported in Commvault Command Center

A critical severity vulnerability has been discovered in Commvault's Backup and Recovery solution, affecting the Command Center environment. 

The vulnerability is tracked as CVE-2025-34028 (CVSS score ranging from 9.0 to 10.0 depending on the source) is a path traversal flaw in Commvault Command Center that enables remote code execution without requiring authentication. When exploited, it allows attackers to:

• Force vulnerable Commvault instances to fetch malicious ZIP files from externally controlled servers
• Unzip these files on the target system
• Execute and trigger shell code within these files, achieving remote code execution
• Completely compromise the Command Center environment

WatchTowr researcher Sonny Macdonald, who discovered the vulnerability, found an endpoint that could be accessed without authentication, along with server-side request forgery (SSRF) and path traversal issues that could be chained together for successful exploitation.

The vulnerability impacts Commvault Command Center Innovation Release versions from 11.38.0 to 11.38.19 on both Windows and Linux platforms. Commvault has confirmed that Long-Term Support Commvault Platform Releases are not affected by this vulnerability.

Commvault released a patch within a week of being notified by WatchTowr. The vulnerability has been fixed in the following versions:

• Innovation Update release 11.38.20 (released April 10, 2025)
• Innovation Update release 11.38.25

According to Commvault, "Innovation releases are automatically managed according to predefined schedules, so manual intervention is not required." However, for organizations that cannot immediately update, Commvault recommends isolating the Command Center installation from external network access as a mitigating measure.