A newly discovered security vulnerability (CVE-2025-34028) in Commvault Command Center Innovation Release poses a significant threat to organizations relying on the platform for data protection. This critical flaw allows unauthenticated remote attackers to execute arbitrary code, potentially leading to complete system compromise. With a high CVSS score of 9.0, the vulnerability demands immediate attention and swift action from organizations utilizing the affected version.
The vulnerability specifically impacts version 11.38 of the Command Center installation, creating a pathway for malicious actors to gain unauthorized access and control over sensitive systems. Security researchers have identified a path traversal vulnerability that enables attackers to upload malicious ZIP files. When these files are expanded by the target server, they can trigger Remote Code Execution (RCE), effectively handing control of the system to the attacker.
Unauthenticated Access: A Hacker’s Dream Scenario
The severity of this vulnerability is amplified by the fact that it doesn’t require authentication. This means that remote attackers can exploit the flaw without needing valid credentials, significantly lowering the barrier to entry for malicious activity. The ability to manipulate file paths in ways that compromise system integrity allows attackers to execute unauthorized commands and gain access to sensitive data.
“This flaw allows attackers to manipulate file paths in ways that can compromise system integrity. Consequently, successfully exploiting this vulnerability can lead to unauthorized access and execution of malicious commands,” security experts warned in their vulnerability analysis.
Limited Scope, Maximum Impact: Targeting Version 11.38
Fortunately, the vulnerability is limited to the Command Center Innovation Release version 11.38. Other installations within the same system remain secure, mitigating the potential for widespread compromise. However, for organizations running the affected version, the risk is substantial and requires immediate remediation.
Linux and Windows Under Threat: Cross-Platform Vulnerability
The vulnerability impacts Commvault deployments running on both Linux and Windows platforms, specifically versions 11.38.0 through 11.38.19. Organizations using these versions are strongly encouraged to update immediately to mitigate the risk of exploitation, regardless of their operating system.
The Patch is Available: Upgrade to Secure Your Systems
Commvault has addressed this security issue in their latest releases. The vulnerability has been resolved in version 11.38.20, released on April 10, 2025. Additionally, version 11.38.25, released on the same date, also includes the fix. Upgrading to either of these versions will effectively eliminate the risk posed by this critical vulnerability.
Automated Updates: A Double-Edged Sword
According to Commvault, Innovation releases are automatically managed according to predefined schedules, meaning most organizations should receive the update without manual intervention. While this automated process offers convenience, it’s crucial for organizations to verify that the update has been successfully applied.
Immediate Action: Isolate and Patch
If immediate updating isn’t feasible, security teams are advised to isolate Command Center installations from external network access until patches can be applied. This temporary measure will prevent remote attackers from exploiting the vulnerability and gaining access to the system.
Responsible Disclosure: WatchTowr’s Contribution
WatchTowr, a security research firm, responsibly disclosed the vulnerability, allowing Commvault to address the issue before it could be widely exploited. Commvault has acknowledged WatchTowr’s contribution to improving product security, highlighting the importance of collaboration between security researchers and software vendors.
A Pattern of Vulnerabilities: Prioritizing Security Updates
This discovery follows several other security issues identified in Commvault products earlier this year, including a Critical Webserver Vulnerability (CV_2025_03_1) and SQL Injection Vulnerability (CV_2025_04_2). This underscores the importance of maintaining up-to-date security patches for data protection platforms and proactively addressing potential vulnerabilities.
Verify and Update: Protecting Your Data Infrastructure
Organizations utilizing Commvault systems should verify their deployment versions and apply necessary updates to ensure their data protection infrastructure remains secure against this significant threat. Proactive security measures and timely patching are essential for mitigating the risk of exploitation and safeguarding sensitive data.
