Latest Cyber Security News

You are here: Home / General Cyber Security News / Commvault CVE-2025-34028 Added to CISA KEV After Active Exploitation Confirmed
May 5, 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed.

The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions 11.38.0 through 11.38.19. It has been addressed in versions 11.38.20 and 11.38.25.

“Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code,” CISA said.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Cybersecurity

The flaw essentially permits an attacker to upload ZIP files that, when decompressed on the target server, could result in remote code execution.

Cybersecurity company watchTowr Labs, which was credited with discovering and reporting the bug, said the problem resides in an endpoint called “deployWebpackage.do” that triggers a pre-authenticated Server-Side Request Forgery (SSRF), ultimately resulting in code execution when using a ZIP archive file containing a malicious .JSP file.

It’s currently not known in what context the vulnerability is being exploited, but the development makes it the second Commvault flaw to be weaponized in real-world attacks after CVE-2025-3928 (CVSS score: 8.7), an unspecified issue in the Commvault Web Server that allows a remote, authenticated attacker to create and execute web shells.

The company revealed last week that the exploitation activity affected a small number of customers but noted that there has been no unauthorized access to customer backup data.

In light of active exploitation of CVE-2025-34028, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by May 23, 2025, to secure their networks.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *