CVE-2025-34028 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-04-22

Added to CISA KEV: 2025-05-02 10 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Apply patches immediately: upgrade to 11.38.20 with SP38-CU20-433/436 or 11.38.25 with SP38-CU25-434/438
If patching is not immediately possible, restrict network access to Commvault Command Center and implement additional authentication controls
Monitor for unauthorized file uploads, JSP file creation, and suspicious network connections
Review backup data integrity and check for signs of data exfiltration or ransomware deployment
Patch priority: CRITICAL - immediate action required due to active exploitation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-34028 is a critical security vulnerability affecting Commvault Command Center, which has been confirmed as being actively exploited in the wild ^[1].

Vulnerability Overview

Type: Path Traversal leading to Remote Code Execution (RCE) ^[4] ^[1].
Severity: Critical (CVSS score of 10.0) ^[5].
Impact: Successful exploitation allows an unauthenticated, remote attacker to execute arbitrary code on the target server ^[3] ^[1].

Exploitation and Attack Details

Attack Method: The vulnerability exists because the application improperly handles ZIP files uploaded as install packages. An attacker can craft a malicious ZIP file containing a payload (such as a `.jsp` file) and use path traversal techniques to place this file in an executable directory on the server ^[2] ^[4].
Requirements: The attack is performed over the network and does not require authentication or user interaction ^[3] ^[1].
Active Exploitation: The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation in the wild ^[1].
PoC Availability: Proof-of-concept exploit code is publicly available, including scripts for testing and detection (e.g., via Nuclei templates) ^[2] ^[4].

Affected Products and Mitigation

Affected Versions: The vulnerability primarily affects the Commvault Command Center Innovation Release, specifically version 11.38 ^[4].
Status: Users are strongly advised to apply the latest security patches provided by Commvault immediately. Given its inclusion in the CISA KEV catalog, organizations should prioritize patching to mitigate the risk of targeted attacks or ransomware campaigns that leverage this RCE capability ^[1].

Sources

Commvault CVE-2025-34028 Added to CISA KEV After Active ...
Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code.
watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025 ...
This script is a proof of concept for CVE-2025-34028, for Commvault Web Interfaces. By uploading a zip file containing a code execution .jsp file,…
cve-2025-34028 - NVD
Description. The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, ...
nuclei-templates/http/cves/2025/CVE-2025-34028.yaml at main ... - GitHub
A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38. Unauthenticated attackers can ..
CVE-2025-34028 - Exploits & Severity - Feedly
CVE-2025-34028 is a critical remote code execution vulnerability in Commvault Command Center, rated with a CVSS score of 10.0.