Commvault Command Center: path traversal in Commvault Command Center leading to remote code execution (CVE-2025-34028) #shorts
Summary
Welcome to today’s cybersecurity briefing. We’re discussing CVE-2025-34028, a newly disclosed, maximum-severity vulnerability in Commvault Command Center Innovation Release 11.38. Discovered by watchTowr Labs, this flaw allows unauthenticated attackers to achieve remote code execution on affected servers.
Product details
Commvault Command Center is a web-based management console for data protection, backup, and recovery workflows. The Innovation Release 11.38 is the latest major update, offering streamlined dashboarding, policy-driven automation, and API integrations for hybrid and multi-cloud environments.
Vulnerability type summary
This issue stems from an improper limitation of pathname to a restricted directory, classified as CWE-22: Path Traversal. An attacker can bypass directory restrictions by crafting a ZIP archive with malicious file paths, causing the server to expand and write files outside the intended workspace.
Details of the vulnerability
An unauthenticated actor uploads a specially crafted ZIP file to the Command Center interface. When the server extracts the archive, it honors ‘../’ sequences or absolute paths embedded in the filenames, placing payloads in sensitive system folders. The attacker’s code runs with the privilege of the web service, enabling full remote code execution. A public proof-of-concept is circulating, and Metasploit modules are expected soon.
Conclusion
If you’re running Commvault Command Center Innovation Release 11.38, consider yourself at risk. Immediately upgrade to the patched version when it becomes available, or apply vendor workarounds documented by Commvault. Monitor file upload endpoints and audit extraction logs for suspicious activity. Stay tuned for further updates and always prioritize timely patching to defend against emerging threats.
Watch the full video on YouTube: CVE-2025-34028
Remediation and exploitation details
This chain involves the following actors
This following systems are involved
Attack entry point
Remediation actions
Exploitation actions
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html
- https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/
- https://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028
- [2025-04-24] Commvault Remote Code Execution vulnerability CVE-2025-34028 disclosed by watchTowr Labs.
- [2025-04-25] Commvault urges immediate patching of CVE-2025-34028 to prevent system takeover.
- [2025-04-24] Critical Commvault RCE vulnerability (CVE-2025-34028) fixed, PoC available; upgrade required.
- [2025-04-24] A maximum-severity vulnerability, CVE-2025-34028, in Commvault Command Center enables remote code execution (RCE).
- [2025-05-05] CISA adds Commvault CVE-2025-34028 to KEV catalog after active exploitation confirmed.