A serious security vulnerability has been identified in the “Commvault Command Center,” a management console product used for backup and recovery operations. Security researchers have disclosed a critical path traversal vulnerability (CVE-2025-34028) that allows attackers to execute arbitrary code remotely without requiring authentication.

Vulnerability Details

The flaw affects “Command Center Innovation Release 11.38” and can be exploited by uploading specially crafted ZIP files that, when extracted on the server, enable malicious code execution. This vulnerability has received the highest possible Common Vulnerability Scoring System (CVSSv3.1) base score of 10.0, categorizing it as “Critical” – the most severe rating on the four-level scale.

Mitigation Available

Commvault released security patches on April 10, 2025, addressing this vulnerability in versions 11.38.25 and 11.38.20. The company is urging all users to update their systems immediately.

Alternative Protection Measures

For organizations unable to apply the security updates promptly, Commvault strongly recommends isolating the product from external network access to prevent potential exploitation.

Recommended Actions

  1. Update Commvault Command Center to version 11.38.25 or 11.38.20 immediately
  2. If immediate patching is not possible, isolate the system from external networks
  3. Monitor systems for any suspicious activity that might indicate exploitation attempts

Security experts emphasize the urgency of addressing this vulnerability due to its critical severity rating and the potential for complete system compromise if successfully exploited.

Share this post

Author

Editorial Team
Editorial Team
The Editorial Team at Security Land is comprised of experienced professionals dedicated to delivering insightful analysis, breaking news, and expert perspectives on the ever-evolving threat landscape

Comments