Could 05, 2025Ravie LakshmananVulnerability / Zero-Day
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a maximum-severity safety flaw impacting Commvault Command Middle to its Identified Exploited Vulnerabilities (KEV) catalog, just a little over every week after it was publicly disclosed.
The vulnerability in query is CVE-2025-34028 (CVSS rating: 10.0), a path traversal bug that impacts 11.38 Innovation Launch, from variations 11.38.0 by 11.38.19. It has been addressed in variations 11.38.20 and 11.38.25.
“Commvault Command Middle incorporates a path traversal vulnerability that permits a distant, unauthenticated attacker to execute arbitrary code,” CISA stated.
The flaw primarily permits an attacker to add ZIP information that, when decompressed on the goal server, may lead to distant code execution.
Cybersecurity firm watchTowr Labs, which was credited with discovering and reporting the bug, stated the issue resides in an endpoint known as “deployWebpackage.do” that triggers a pre-authenticated Server-Facet Request Forgery (SSRF), finally leading to code execution when utilizing a ZIP archive file containing a malicious .JSP file.
It is presently not recognized in what context the vulnerability is being exploited, however the improvement makes it the second Commvault flaw to be weaponized in real-world assaults after CVE-2025-3928 (CVSS rating: 8.7), an unspecified problem within the Commvault Net Server that permits a distant, authenticated attacker to create and execute net shells.
The corporate revealed final week that the exploitation exercise affected a small variety of prospects however famous that there was no unauthorized entry to buyer backup knowledge.
In mild of energetic exploitation of CVE-2025-34028, Federal Civilian Government Department (FCEB) businesses are required to use the required patches by Could 23, 2025, to safe their networks.
Replace
Commvault, in an replace to its advisory on Could 6, 2025, stated the vulnerability may be remediated by putting in variations 11.38.20 or 11.38.25 alongside supplemental updates –
11.38.20, with the extra updates: SP38-CU20-433 and SP38-CU20-436
11.38.25, with the extra updates: SP38-CU25-434 and SP38-CU25-438
Safety researcher Will Dormann, who discovered that deploying simply 11.38.20 or 11.38.25 doesn’t repair the flaw, stated “I can not consider a conduct that’s extra vindictive to their prospects to botch language in an advisory so dangerous, and likewise to not trouble bumping launch variations for the fixes for a CVSS 10 EITW vulnerability.”
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.
