Commvault Command Center has been impacted by a critical security vulnerability, CVE-2025-34028, with a CVSS score of 10. This vulnerability enables remote code execution (RCE). Review the details of this Cybersecurity Threat Advisory to minimize the risk from this threat.
What is the threat?
Researchers discovered a critical path traversal flaw in the Commvault Command Center Innovation release from version 11.38.0 through 11.38.19. This flaw allows a remote, unauthenticated attacker to execute arbitrary code. The flaw lets the attacker upload ZIP files, which could lead to RCE by decompressing the ZIP files on the target server.
Why is it noteworthy?
The Commvault Command Center is a web-based interface designed to manage data protection, backup, and recovery operations across enterprise environments. A vulnerability exists in the deployWebpackage.do component, which allows for a pre-authenticated Server-Side Request Forgery (SSRF) due to insufficient host validation. This flaw can be exploited to execute remote code by uploading a malicious ZIP archive containing a .JSP file.
What is the exposure or risk?
Since this vulnerability permits the execution of unauthorized code on the server remotely, it is particularly attractive to ransomware groups and other threat actors. They tend to target data protection solutions because of their central role in backup and recovery operations. With the significant access these systems provide and the minimal effort required to exploit them, this vulnerability will likely become a target, particularly now that a proof-of-concept (PoC) is publicly available.
What are the recommendations?
Barracuda recommends the following actions to limit the impact of this vulnerability:
- Update the affected Commvault product to the latest fixed version 11.38.20.
- Isolate the Command Center installation from external network access if installing the update is not feasible.
- Access to the Commvault Command Center should be strictly internal and inaccessible from the Internet.
- Ensure the service is not exposed to the internet.
- Follow your organization’s patching and testing guidelines to minimize potential operational impact.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.