CVE-2025-34028

What is Commvault Command Center?

Commvault Command Center is the web-based administrative interface for Commvault's enterprise data protection and backup platform. Commvault is deployed by large organizations and government agencies to manage backup and recovery of critical data across hybrid cloud environments. Because the Command Center has privileged access to backup agents on every protected server — including domain controllers, databases, and file servers — compromising it gives an attacker access to backup data (which may contain credentials and sensitive files) and the ability to corrupt or delete backups, eliminating recovery options before a ransomware attack.

Overview

CVE-2025-34028 is a maximum-severity path traversal vulnerability (CWE-22, CVSS 10.0) in Commvault Command Center. An unauthenticated remote attacker can exploit a pre-authentication endpoint to traverse outside the intended web directory and write arbitrary files — including JSP webshells — to web-accessible locations on the server. Code executes with the privileges of the Commvault service account. Commvault confirmed active in-the-wild exploitation and issued an emergency out-of-band advisory. watchTowr Labs discovered and published the technical details.

Affected Versions

Technical Details

The vulnerability (CWE-22: Path Traversal) is in a pre-authentication endpoint in Commvault Command Center that handles package/file operations. The endpoint fails to validate or sanitize path components in the request, allowing directory traversal sequences (../) to write files outside the intended upload directory. An attacker can write a JSP webshell to a web-accessible directory — such as the Command Center web root — and then request it via HTTP to achieve code execution with the Commvault service account's privileges.

The Scope:Changed (S:C) CVSS rating reflects that the Commvault service account has privileged access to backup agents across the entire protected environment, crossing from the Command Center application into the broader backup infrastructure.

Discovery

Discovered by watchTowr Labs, who published a detailed technical analysis.

Exploitation Context

Commvault confirmed active exploitation in the wild before the advisory was published, making this a zero-day at the time of disclosure. CISA added CVE-2025-34028 to the KEV catalog on 2 May 2025 with a 21-day federal remediation deadline. Post-exploitation access to Commvault enables: access to backup archives containing credentials and sensitive data, deletion or corruption of backups to prevent ransomware recovery, and lateral movement to any system with a Commvault backup agent. No specific threat actor has been publicly named.

Remediation

1. Apply the emergency patch immediately for your Commvault version: 11.20.217, 11.28.141, 11.32.89, or 11.36.46.
2. Check for webshells: search the Commvault Command Center web directory for unexpected .jsp files created after the installation date.
3. Review Commvault audit logs for unexpected administrative actions, new users created, or backup job modifications from unfamiliar IP addresses.
4. Restrict Command Center network access: apply firewall rules to limit HTTPS access to the Command Center to trusted administrative networks only.
5. Audit backup data integrity: if compromise is suspected, verify that backup archives have not been deleted or modified.
6. Rotate Commvault service account credentials and any credentials stored in Command Center (cloud accounts, backup proxies).