Summary: A critical security vulnerability, tracked as CVE-2025-34028, has been found in the Commvault Command Center, allowing remote attackers to execute arbitrary code without authentication. The flaw, which impacts versions 11.38.0 through 11.38.19, has a CVSS score of 9.0 and can lead to complete compromise of the environment. Resolved in versions 11.38.20 and 11.38.25, organizations are urged to implement necessary mitigations quickly.
Affected: Commvault Command Center (versions 11.38.0 – 11.38.19)
Keypoints :
- Vulnerability allows pre-authenticated remote code execution.
- Exploitation involves Server-Side Request Forgery via the endpoint “deployWebpackage.do”.
- ZIP archives containing malicious files can be used to escalate the attack.
- Detection Artefact Generator available to assess vulnerability status.
- Users of backup software like Veeam and NAKIVO are also facing active exploitation risks.
Source: https://thehackernews.com/2025/04/critical-commvault-command-center-flaw.html