A significant security vulnerability, identified as CVE-2025-34028, has been discovered in Commvault’s Command Center Innovation Release, specifically affecting version 11.38. This flaw enables unauthenticated remote attackers to execute arbitrary code, posing a severe risk to system integrity and data security.
Understanding the Vulnerability
The core issue lies in a path traversal vulnerability within the Commvault Command Center. This flaw allows attackers to upload malicious ZIP files without authentication. When these files are extracted by the server, they can lead to Remote Code Execution (RCE). By manipulating file paths during the extraction process, attackers can compromise system integrity, gaining unauthorized access and the ability to execute malicious commands.
Impacted Systems
This vulnerability affects Commvault deployments on both Linux and Windows platforms, specifically versions 11.38.0 through 11.38.19. Notably, only the Command Center Innovation Release version 11.38 is vulnerable; other installations within the same system remain secure.
Commvault’s Response and Resolution
Commvault has promptly addressed this critical issue by releasing updated versions of their software. The vulnerability has been resolved in version 11.38.20, released on April 10, 2025. Additionally, version 11.38.25, released on the same date, includes the fix. Organizations using affected versions are strongly encouraged to update immediately to mitigate the risk of exploitation.
According to Commvault, Innovation releases are automatically managed according to predefined schedules, meaning most organizations should receive the update without manual intervention. However, if immediate updating isn’t feasible, security teams are advised to isolate Command Center installations from external network access until patches can be applied.
Broader Security Context
This discovery follows several other security issues identified in Commvault products earlier this year, including a Critical Webserver Vulnerability (CV_2025_03_1) and SQL Injection Vulnerability (CV_2025_04_2). These incidents underscore the importance of maintaining up-to-date security patches for data protection platforms.
Recommendations for Organizations
Organizations utilizing Commvault systems should take the following steps to ensure their data protection infrastructure remains secure:
1. Verify Deployment Versions: Check the current version of your Commvault Command Center to determine if it falls within the affected range (11.38.0 through 11.38.19).
2. Apply Necessary Updates: If your system is running an affected version, update to version 11.38.20 or later immediately.
3. Isolate Vulnerable Systems: If immediate updating isn’t possible, isolate Command Center installations from external network access to prevent potential exploitation.
4. Monitor for Unusual Activity: Implement monitoring to detect any unauthorized access or unusual system behavior that may indicate exploitation attempts.
By taking these proactive measures, organizations can protect their systems from this critical vulnerability and maintain the integrity of their data protection infrastructure.
