168/68 Wednesday, May 7, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability identified as CVE-2025-34028, affecting Commvault Command Center, to its Known Exploited Vulnerabilities (KEV) catalog after confirming it is being actively exploited following public disclosure. This vulnerability, which has a maximum CVSS score of 10.0, is a path traversal flaw found in Commvault Innovation Release 11.38 versions 11.38.0 through 11.38.19. It has been patched in versions 11.38.20 and 11.38.25.
CISA stated that this vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the server by uploading a specially crafted ZIP file, which, when decompressed, results in remote code execution (RCE).
Cybersecurity firm watchTowr Labs, which discovered the issue, identified the vulnerable endpoint as deployWebpackage.do, which can be exploited for pre-authenticated Server-Side Request Forgery (SSRF) attacks that ultimately lead to RCE when malicious .JSP files embedded in a ZIP archive are used. Although the exact methods used in real-world exploitation have not yet been fully disclosed, this marks the second actively exploited Commvault vulnerability, following CVE-2025-3928 (CVSS 8.7), which allowed authenticated attackers to create and execute web shells on the Commvault Web Server.
Commvault has stated that exploitation of CVE-2025-34028 affected “a small number of customers” and that no unauthorized access to customer backup data has been observed. Meanwhile, the Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the security patch no later than May 23, 2025, to reinforce network security.
Source https://thehackernews.com/2025/05/commvault-cve-2025-34028-added-to-cisa.html
