The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed.
The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions 11.38.0 through 11.38.19. It has been addressed in versions 11.38.20 and 11.38.25.
“Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code,” CISA said.
The flaw essentially permits an attacker to upload ZIP files that, when decompressed on the target server, could result in remote code execution.
Cybersecurity company watchTowr Labs, which was credited with discovering and reporting the bug, said the problem resides in an endpoint called “deployWebpackage.do” that triggers a pre-authenticated Server-Side Request Forgery (SSRF), ultimately resulting in code execution when using a ZIP archive file containing a malicious .JSP file.
It’s currently not known in what context the vulnerability is being exploited, but the development makes it the second Commvault flaw to be weaponized in real-world attacks after CVE-2025-3928 (CVSS score: 8.7), an unspecified issue in the Commvault Web Server that allows a remote, authenticated attacker to create and execute web shells.
The company revealed last week that the exploitation activity affected a small number of customers but noted that there has been no unauthorized access to customer backup data.
In light of active exploitation of CVE-2025-34028, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by May 23, 2025, to secure their networks.
