Over a week after it was published, the US Cybersecurity and Infrastructure Security Agency (CISA) added the maximum security flaws affecting the Commvault Command Center to its known Exploited Vulnerabilities (KEV) catalog.
The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0). This is a past traversal bug affecting versions 11.38.0 to 11.38.19 to 11.38.19. It is described in versions 11.38.20 and 11.38.25.
“Commvault Command Center contains a past traversal vulnerability that allows remote, unauthorized attackers to execute arbitrary code,” the CISA said.
This flaw allows an attacker to upload a ZIP file. This can cause remote code execution when decompressed on the target server.
WatchTowr Labs, a cybersecurity company that was recognized to have discovered and reported the bug, said the issue resides on an endpoint called “DeployWebPackage.do.”
Currently, it is unknown in what context the vulnerability is being exploited, but development has the flaws of the second Commvault in the actual attack after CVE-2025-3928 (CVSS score: 8.7).
The company revealed last week that its exploitative activities had impacted a small number of customers, but noted that there was no unauthorized access to customer backup data.
In light of the active exploitation of CVE-2025-34028, the necessary patches must be applied by May 23, 2025 to ensure the network.
Source link
