Critical Commvault RCE Vulnerability Lets Remote Attackers Execute Arbitrary Code

A significant security vulnerability (CVE-2025-34028) has been discovered in Commvault Command Center Innovation Release, enabling unauthenticated attackers to execute arbitrary code remotely.

The vulnerability, which carries a high CVSS score of 9.0, affects explicitly version 11.38 of the Command Center installation and could lead to complete system compromise if exploited.

Security researchers have identified a path traversal vulnerability in Commvault Command Center that allows unauthenticated actors to upload malicious ZIP files which, when expanded by the target server, can result in Remote Code Execution (RCE).

This critical flaw enables attackers to manipulate file paths in ways that compromise system integrity, potentially leading to unauthorized access and execution of malicious commands.

“This flaw allows attackers to manipulate file paths in ways that can compromise system integrity. Consequently, successfully exploiting this vulnerability can lead to unauthorized access and execution of malicious commands,” security experts noted in their vulnerability analysis.

The vulnerability is particularly concerning because it doesn’t require authentication, making it accessible to remote attackers without valid credentials. Fortunately, only the Command Center Innovation Release version 11.38 is affected, with other installations within the same system remaining secure.

Affected Systems

The vulnerability impacts Commvault deployments running on both Linux and Windows platforms, specifically versions 11.38.0 through 11.38.19. Organizations using these versions are strongly encouraged to update immediately to mitigate the risk of exploitation.

Commvault has addressed this security issue in their latest releases. The vulnerability has been resolved in version 11.38.20, released on April 10, 2025. Additionally, version 11.38.25, released on the same date, also includes the fix.

According to Commvault, Innovation releases are automatically managed according to predefined schedules, meaning most organizations should receive the update without manual intervention. However, if immediate updating isn’t feasible, security teams are advised to isolate Command Center installations from external network access until patches can be applied.

WatchTowr, a security research firm, responsibly disclosed the vulnerability. Commvault has acknowledged its contribution to improving product security.

This discovery follows several other security issues identified in Commvault products earlier this year, including a Critical Webserver Vulnerability (CV_2025_03_1) and SQL Injection Vulnerability (CV_2025_04_2), highlighting the importance of maintaining up-to-date security patches for data protection platforms.

Organizations utilizing Commvault systems should verify their deployment versions and apply necessary updates to ensure their data protection infrastructure remains secure against this significant threat.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post Critical Commvault RCE Vulnerability Lets Remote Attackers Execute Arbitrary Code appeared first on Cyber Security News.