Data protection and data management software company Commvault is an industry leader in cloud data protection, providing cyber resilience solutions to thousands of organizations. Recently, a critical vulnerability was discovered in the Commvault Command Center, tracked as CVE-2025-34028. The flaw has been assigned a CVSS score of 10, the highest severity on the scale. This vulnerability allows unauthorized users to carry out remote code execution (RCE) and completely compromise the Command Center environment, enabling attacks that could disrupt or manipulate enterprise security and data management operations.
Technical Details of the Flaw
The vulnerability originates in one of a number of endpoints that are excluded from authorization filters in the Command Center libraries. The endpoint “deployWebpackage.do” allows unauthenticated users to upload compressed files that can perform RCE when unzipped by the target. A Server-Side Request Forgery (SSRF) response can be escalated using path traversals to unzip the shell in a pre-authenticated directory, potentially leading to a successful RCE attack.
The chain of exploitation taken by watchTowr Labs in their analysis consists of sending an HTTP request to the deployWebpackage.do endpoint, causing Commvault to fetch a ZIP file from an externally-controlled server and unzip the file to a .tmp directory. A bad actor can use this chain to compress a malicious .jsp file and use externally hosted servers to carry out SSRF and RCE. Unfiltered host communication and directory traversal enable this type of attack by allowing unauthorized movement and escalation within the system.
Research and Disclosure
Sonny Macdonald at watchTowr Labs disclosed the vulnerability to Commvault PSIRT on April 7th, 2025. Commvault developed a patch for the flaw and released it on April 10th, followed by an advisory on April 17th. The analysis from watchTowr Labs on the vulnerability explores the origin of the flaw, the technical details of the exploitation chain, and how threat actors can potentially use SSRF and other techniques to carry out eventual RCE attacks. A publicly available proof-of-concept emphasizes that the vulnerability is capable of being legitimately exploited by bad actors and causing damage to enterprise systems and operations.
Risk Assessment and Mitigation
The vulnerability affects Commvault on Linux and Windows platforms, only impacting the 11.38 Innovation Release. The flaw has been resolved in further updates of the release, and all other versions of the software remain unaffected. Commvault’s Innovation releases are managed automatically, and SaaS customers have all necessary patches managed and deployed without customer action needed. Steps for detection and mitigation include separating Command Center installation from external network access in the event that organizations are not able to update the software immediately.
Organizations are recommended to “implement stringent API security measures that focus on identifying and understanding the behavior of all API endpoints, including those used by critical infrastructure like backup systems,” according to Eric Schwake, Director of Cybersecurity Strategy at Salt Security. “It is vital to enforce strict input validation and ensure strong authentication and authorization controls for all API functions, particularly those that manage file uploads or external connections. Additionally, continuous monitoring of API traffic is necessary to spot unusual activity that may indicate attempts to exploit these essential interfaces.” Protecting against threats that can arise from a vulnerability like this requires a proactive and strategic defense.
Broader Implications
This severe vulnerability in such widely used software reveals a significant gap in security in backup and disaster recovery platforms. Tactics like SSRF remain relevant as a vector for high-impact exploits that can lead to significant damage. Processes and endpoints that do not require sufficient authentication can leave organizations open to unauthorized users carrying out a wide range of actions within enterprise systems. Software vendors should take the disclosure of and response to this vulnerability as a call to ensure endpoint validation and access control in their products.
