A critical security vulnerability (CVE-2025-34028) has been identified in Commvault Command Center, allowing remote code execution without authentication, impacting versions 11.38.0 to 11.38.19. This flaw has been added to CISA’s Known Exploited Vulnerabilities catalog, indicating heightened interest from threat actors. Commvault has since released updates to mitigate the issue, advising all organizations to review the situation and prioritize patches.
Keypoints:
- A second Commvault vulnerability added to CISA’s KEV catalog within a week.
- CVE-2025-34028 features a CVSS score of 10/10 and is a path traversal flaw that allows remote code execution.
- Exploitation requires uploading ZIP files that can execute code after being unzipped by the server.
- The issue affects Command Center versions 11.38.0 to 11.38.19, with fixes available in versions 11.38.20 and 11.38.25.
- Commvault has warned that the flaw could lead to a complete compromise of the environment.
- No public reports have confirmed exploitation attempts for CVE-2025-34028 as of now.
- Under Binding Operational Directive (BOD) 22-01, federal agencies must apply fixes by May 23.
- All organizations are encouraged to review CISA’s KEV catalog and prioritize patching vulnerabilities.
Read More: https://www.securityweek.com/critical-commvault-vulnerability-in-attacker-crosshairs/