A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations.
The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0.
“A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication,” Commvault said in an advisory published on April 17, 2025. “This vulnerability could lead to a complete compromise of the Command Center environment.”
It impacts the 11.38 Innovation Release, from versions 11.38.0 through 11.38.19, and has been resolved in the following versions –
watchTowr Labs researcher Sonny Macdonald, who has been credited with discovering and reporting the flaw on April 7, 2025, said in a report shared with The Hacker News that it could be exploited to achieve pre-authenticated remote code execution.
Specifically, the issue is rooted in an endpoint called “deployWebpackage.do,” triggering what’s called a pre-authenticated Server-Side Request Forgery (SSRF) owing to the fact that there is “no filtering as to what hosts can be communicated with.”
To make matters worse, the SSRF flaw could then be escalated to achieve code execution by making use of a ZIP archive file containing a malicious .JSP file. The entire sequence of events is as follows –
- Send an HTTP request to /commandcenter/deployWebpackage.do, causing the Commvault instance to retrieve a ZIP file from an external server
- Contents of the ZIP file get unzipped into a .tmp directory under the attacker’s control
- Use the servicePack parameter to traverse the .tmp directory into a pre-authenticated facing directory on the server, such as ../../Reports/MetricsUpload/shell
- Execute the SSRF via /commandcenter/deployWebpackage.do
- Execute the shell from /reports/MetricsUpload/shell/.tmp/dist-cc/dist-cc/shell.jsp
watchTowr has also created a Detection Artefact Generator that organizations can use to determine if their instance is vulnerable to the vulnerability.
With vulnerabilities in backup and replication software like Veeam and NAKIVO coming under active exploitation in the wild, it’s essential that users apply necessary mitigations to safeguard against potential threats.
