Critical Commvault Command Center Flaw Enables Attackers to Execute Code Remotely

A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations.

The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0.

“A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication,” Commvault said in an advisory published on April 17, 2025. “This vulnerability could lead to a complete compromise of the Command Center environment.”

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

It impacts the 11.38 Innovation Release, from versions 11.38.0 through 11.38.19, and has been resolved in the following versions –

• 11.38.20
• 11.38.25

watchTowr Labs researcher Sonny Macdonald, who has been credited with discovering and reporting the flaw on April 7, 2025, said in a report shared with The Hacker News that it could be exploited to achieve pre-authenticated remote code execution.

Specifically, the issue is rooted in an endpoint called “deployWebpackage.do,” triggering what’s called a pre-authenticated Server-Side Request Forgery (SSRF) owing to the fact that there is “no filtering as to what hosts can be communicated with.”

To make matters worse, the SSRF flaw could then be escalated to achieve code execution by making use of a ZIP archive file containing a malicious .JSP file. The entire sequence of events is as follows –

• Send an HTTP request to /commandcenter/deployWebpackage.do, causing the Commvault instance to retrieve a ZIP file from an external server
• Contents of the ZIP file get unzipped into a .tmp directory under the attacker’s control
• Use the servicePack parameter to traverse the .tmp directory into a pre-authenticated facing directory on the server, such as ../../Reports/MetricsUpload/shell
• Execute the SSRF via /commandcenter/deployWebpackage.do
• Execute the shell from /reports/MetricsUpload/shell/.tmp/dist-cc/dist-cc/shell.jsp

watchTowr has also created a Detection Artefact Generator that organizations can use to determine if their instance is vulnerable to the vulnerability.

With vulnerabilities in backup and replication software like Veeam and NAKIVO coming under active exploitation in the wild, it’s essential that users apply necessary mitigations to safeguard against potential threats.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.