CyberSecurity news
FlagThis
@documentation.commvault.com
//
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-34028, has been discovered in Commvault Command Center. This security flaw, rated a severity of 9.0 out of 10, allows unauthenticated remote attackers to execute arbitrary code on affected installations. The vulnerability stems from a path traversal issue that can lead to a complete compromise of the Command Center environment. Commvault acknowledged the flaw in an advisory released on April 17, 2025, highlighting the potential for attackers to gain control of the system without requiring authentication.
Commvault Command Center versions 11.38.0 through 11.38.19 of the 11.38 Innovation Release are impacted by this vulnerability. The root cause lies within the "deployWebpackage.do" endpoint, which is susceptible to a pre-authenticated Server-Side Request Forgery (SSRF) attack. This is because there is no filtering as to what hosts can be communicated with. Attackers can exploit this by sending an HTTP request to the vulnerable endpoint, causing the Commvault instance to retrieve a malicious ZIP file from an external server. Once retrieved, the contents of the ZIP file are unzipped into a temporary directory under the attacker's control.
The vulnerability was discovered and reported by Sonny Macdonald, a researcher at watchTowr Labs, on April 7, 2025. watchTowr published technical details and a proof-of-concept (PoC) exploit on April 24, 2025, increasing the urgency for users to apply the necessary patches. Commvault has addressed the vulnerability in versions 11.38.20 and 11.38.25, urging all users to upgrade immediately. The vulnerability was last modified by NIST’s National Vulnerability Database on April 23. watchTowr has also created a Detection Artefact Generator that organizations can use to determine if their instance is vulnerable to the vulnerability.
ImgSrc: www.csoonline.c
References :
Commvault Command Center versions 11.38.0 through 11.38.19 of the 11.38 Innovation Release are impacted by this vulnerability. The root cause lies within the "deployWebpackage.do" endpoint, which is susceptible to a pre-authenticated Server-Side Request Forgery (SSRF) attack. This is because there is no filtering as to what hosts can be communicated with. Attackers can exploit this by sending an HTTP request to the vulnerable endpoint, causing the Commvault instance to retrieve a malicious ZIP file from an external server. Once retrieved, the contents of the ZIP file are unzipped into a temporary directory under the attacker's control.
The vulnerability was discovered and reported by Sonny Macdonald, a researcher at watchTowr Labs, on April 7, 2025. watchTowr published technical details and a proof-of-concept (PoC) exploit on April 24, 2025, increasing the urgency for users to apply the necessary patches. Commvault has addressed the vulnerability in versions 11.38.20 and 11.38.25, urging all users to upgrade immediately. The vulnerability was last modified by NIST’s National Vulnerability Database on April 23. watchTowr has also created a Detection Artefact Generator that organizations can use to determine if their instance is vulnerable to the vulnerability.
ImgSrc: www.csoonline.c
Share:
References :
- Open Source Security: Posted by Fabian Bäumer on Apr 19 Hi Alexander, We used a technique called state machine learning to infer the state machine of the Erlang/OTP SSH server by interaction. With the state machine at hand, we noticed unexpected state transitions during the handshake caused by SSH_MSG_CHANNEL_OPEN messages. In particular, sending SSH_MSG_CHANNEL_REQUEST without SSH_MSG_CHANNEL_OPEN caused the connection to terminate, while sending SSH_MSG_CHANNEL_OPEN first changed this...
- Resources-2: On April 16th, 2025, Erlang/OTP team disclosed a critical vulnerability affecting their SSH server implementation [1]. CVE-2025-32433 is an unauthenticated remote code execution vulnerability with a CVSS score of 10.0 (Critical) that allows adversaries to run arbitrary code on vulnerable systems with elevated privileges.
- Tenable Blog: Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices. Background On April 16, Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH to the vulnerability mailing list.
- arcticwolf.com: On April 24, 2025, watchTowr published technical details and a proof-of-concept (PoC) exploit for a critical vulnerability in Commvault Command Center, CVE-2025-34028, which had been disclosed earlier in April.
- The Hacker News: A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations.
- www.scworld.com: CVE-2025-34028 could lead to a complete compromise of the Command Center.
- Arctic Wolf: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center
- labs.watchtowr.com: Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) - watchTowr Labs
- Help Net Security: Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028)
- Anonymous ???????? :af:: Critical Exploit Alert! A 9.0 CVSS flaw in Commvault Command Center lets hackers run code without logging in. 🯠Targets versions 11.38.0–11.38.19
- SOC Prime Blog: SocPrime blog post on detecting CVE-2025-34028 exploitation
- thecyberexpress.com: The Cyber Express article on the Commvault vulnerability
- arcticwolf.com: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center
- Arctic Wolf: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center
- hackread.com: Critical Commvault Flaw Allows Full System Takeover – Update NOW
- socprime.com: CVE-2025-34028 Detection: A Maximum-Severity Vulnerability in the Commvault Command Center Enables RCE
- fortiguard.fortinet.com: What is the Vulnerability?A critical path traversal vulnerability has been identified in Commvault's Command Center Innovation Release.
- watchTowr Labs: Fire In The Hole, We’re Breaching The Vault
- www.csoonline.com: Critical Commvault SSRF could allow attackers to execute code remotely
- : Critical Commvault Flaw Allows Full System Takeover.
- hackread.com: Enterprises using Commvault Innovation Release are urged to patch immediately against CVE-2025-34028. This critical flaw allows attackers to…
- hackread.com: Critical Commvault Flaw Allows Full System Takeover – Update NOW
Classification:
- HashTags: #RCE #Vulnerability #Cybersecurity
- Company: Commvault
- Target: Commvault Command Center
- Product: Command Center
- Feature: Remote Code Execution
- Type: Vulnerability
- Severity: Critical