A major security vulnerability has been revealed in the Commvault Command Center, allowing attackers to execute arbitrary code remotely on affected installations. Tracked as CVE-2025-34028, the flaw poses a serious threat and has been assigned a CVSS score of 9.0 out of 10, highlighting its severity.
In a security advisory published on April 17, 2025, Commvault disclosed the vulnerability, which enables remote attackers to execute malicious code without authentication, leading to a complete compromise of the Command Center environment. The vulnerability affects versions 11.38.0 through 11.38.19 of the Commvault software and has been addressed in versions 11.38.20 and 11.38.25.
How the Vulnerability Works
The vulnerability stems from an endpoint known as “deployWebpackage.do” in the affected versions of Commvault Command Center. The issue is identified as a pre-authenticated Server-Side Request Forgery (SSRF), where there is no filtering on what hosts can be communicated with during the execution of requests. As a result, attackers can exploit this flaw to send malicious HTTP requests to the server, which then retrieves a ZIP file from an external server controlled by the attacker.
The attack is initiated when an attacker sends a request to the “/commandcenter/deployWebpackage.do” endpoint. This triggers the Commvault instance to download a ZIP file from a remote server. Inside this ZIP file, the attacker can include a malicious .JSP file, which is then extracted into a temporary directory under their control.
Exploitation Pathway: From SSRF to Remote Code Execution
The exploitation of this vulnerability involves several stages, ultimately leading to remote code execution on the affected system:
- Sending the Malicious Request: The attacker sends an HTTP request to the
/commandcenter/deployWebpackage.doendpoint. The request forces the Commvault server to retrieve a ZIP archive containing a malicious .JSP file from an external server. - Unzipping the Malicious File: The contents of the ZIP file are extracted into a temporary directory under the attacker’s control.
- Directory Traversal and Escalation: Using a parameter called
servicePack, the attacker can traverse into a pre-authenticated directory on the server, such as../../Reports/MetricsUpload/shell. - Executing the Malicious Code: After exploiting the SSRF flaw, the attacker can execute the malicious .JSP file located in the pre-authenticated directory. The attack is completed by executing the shell from the directory
/reports/MetricsUpload/shell/.tmp/dist-cc/dist-cc/shell.jsp, effectively allowing the attacker to execute arbitrary code remotely.
The vulnerability was discovered and reported by Sonny Macdonald of watchTowr Labs on April 7, 2025. In response, Commvault has addressed the issue in the updated versions 11.38.20 and 11.38.25. The flaw’s potential for remote code execution underscores the need for quick patching, especially as backup and replication software continues to be a prime target for cybercriminals.
In light of active exploitation in the wild of vulnerabilities in other backup solutions, such as Veeam and NAKIVO, users of Commvault Command Center are urged to apply the available updates immediately to mitigate the risk of a cyberattack.
How to Detect Vulnerability in Affected Systems
For organizations seeking to confirm whether they are vulnerable to this security flaw, watchTowr Labs has provided a Detection Artefact Generator. This tool helps administrators identify whether their Commvault Command Center instance is susceptible to CVE-2025-34028. By running the tool, organizations can detect any potential vulnerabilities and take necessary actions before attackers can exploit them.
With the growing trend of cybercriminals targeting critical infrastructure, such as backup software, it is crucial that organizations apply the necessary mitigations as soon as possible. The exploitation of flaws like CVE-2025-34028 can lead to catastrophic consequences, including data loss, system compromise, and further exploitation of the affected environment.
Organizations should not only apply the latest patches but also regularly monitor their systems for signs of suspicious activity. In addition, implementing layered security controls, such as endpoint protection and network monitoring, can further reduce the risk of exploitation.
