Critical Commvault Flaw Allows Full System Takeover – Update NOW

Enterprises using Commvault Innovation Release are urged to patch immediately against CVE-2025-34028. This critical flaw allows attackers to run code remotely and gain full control.

A severe security vulnerability has been discovered in the Commvault Command Center, a widely adopted solution for enterprise backup and data management. This flaw, tracked as CVE-2025-34028 and assigned a critical severity score of 9.0 out of 10, could allow remote attackers to execute any code they desire on vulnerable Commvault installations without needing to log in.

The dangerous weakness was discovered and responsibly reported on April 7, 2025, by Sonny Macdonald, a researcher with watchTowr Labs. Their analysis revealed that the vulnerability lies within a specific web interface component named “deployWebpackage.do.”

This endpoint is susceptible to a pre-authenticated Server-Side Request Forgery (SSRF) attack due to a lack of proper validation on the external servers the Commvault system is permitted to interact with.

Commvault itself acknowledged the issue in a security advisory released on April 17, 2025, stating that this flaw “could lead to a complete compromise of the Command Center environment,” potentially exposing sensitive data and disrupting critical operations.

However, the SSRF vulnerability is just the starting point to achieving full code execution. Research revealed that attackers can further exploit this by sending a specially crafted ZIP archive containing a malicious “.JSP” file, tricking the Commvault server into fetching it from a server controlled by the attacker. The contents of this ZIP are then extracted to a temporary directory, a location the attacker can influence.

By cleverly manipulating the “servicePack” parameter in subsequent requests, the attacker can scan the system’s directories, moving their malicious “.JSP" file into a publicly accessible location, such as “../../Reports/MetricsUpload/shell.” Finally, by triggering the SSRF vulnerability again, the attacker can execute their “.JSP” file from this accessible location, effectively running arbitrary code on the Commvault system.

However, in this case, the ZIP file is not read in a typical way. Instead, it is read from a “multipart request” before the vulnerable part of the software processes. This could allow hackers to bypass security measures that might block normal web requests.

WatchTowr Labs reported the security issue to Commvault, which quickly addressed it with a patch. The patch was released on April 10, 2025, and the issue was later disclosed on April 17, 2025.

Commvault confirmed that the problem only affected the “Innovation Release” software version 11.38.0 to 11.38.19 for Linux and Windows computers, therefore, the update to version 11.38.20 or 11.38.25 will resolve the issue. watchTowr Labs has also created a “Detection Artefact Generator” to help administrators identify systems exposed to CVE-2025-34028.

This research highlights that backup systems are becoming high-value targets for cyberattacks. These systems are crucial for restoring normalcy after an attack, and if they are controlled, they pose a significant threat primarily because these systems often contain secret usernames and passwords for crucial company computer parts. The severity of the flaw emphasises the need for swift security updates for data protection and backup infrastructure to ensure optimal protection from such attacks.

Agnidipta Sarkar, VP CISO Advisory, ColorTokens, commented on the latest development, stating, This CVSS 10 flaw allows unauthenticated remote code execution, risking full compromise of Commvault’s Command Center. Immediate, sustained mitigation is essential. If full network shutdown isn’t feasible, tools like Xshield Gatekeeper can quickly isolate critical systems. Without action, the threat of ransomware and data loss is severe.