CVE-2025-34028
published 2025-04-22CVE-2025-34028: The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the…
PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-05-23
Exploited in the wild
EPSS
97.16%
99.9th percentile
The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP.
This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| commvault | command_center_innovation_release | 11.38.0 – 11.38.25 | — |
| commvault | commvault | >= 11.38.0 < 11.38.20 | 11.38.20 |
Detection & IOCsextracted from sources · hover to see the quote
url/commandcenter/deployServiceCommcell.do
path/reports/MetricsUpload/*.jsp
otherfofa-query: icon_hash="1209838013"
commandPOST /commandcenter/deployWebpackage.do HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
commcellName={{interactsh-url}}&servicePack={{string}}&version=x
- →Detect unauthenticated POST requests to /commandcenter/deployWebpackage.do with body parameters commcellName, servicePack, and version — the SSRF/RCE entry point. Path traversal sequences in servicePack parameter (e.g., ../ or URL-encoded equivalents) are the exploit trigger.
- →Detect unauthenticated POST requests to /commandcenter/deployServiceCommcell.do uploading a ZIP file (magic bytes PK) with a multipart body containing a servicePack field with path traversal sequences and a file field with a .zip filename.
- →Post-exploitation webshell access is indicated by HTTP requests to URIs matching /reports/MetricsUpload*.jsp — monitor for .jsp file access under this path following any exploit attempt.
- →The Nuclei probe checks for HTTP 900 status code in response to the SSRF probe against /commandcenter/deployWebpackage.do — status code 900 is a strong indicator of a vulnerable Commvault instance.
- →Use FOFA icon hash 1209838013 to identify internet-exposed Commvault Command Center instances for asset discovery and attack surface monitoring.
- →The X-Requested-With: XMLHttpRequest header is present in exploit requests to /commandcenter/deployWebpackage.do — include this in detection logic to reduce false positives.
- ·The Snort/ET rules for deployServiceCommcell.do (sid:2061838) and deployWebpackage.do (sid:2061837) require TLS decryption (tls_state TLSDecrypt) to be effective against HTTPS traffic — blind spots exist on encrypted sessions without TLS inspection.
- ·The post-exploitation webshell rule (sid:2061839) uses an xbits:isset check tied to prior exploit detection (ET.CVE-2025-34028) — it will only fire if the initial exploit attempt was also detected in the same session tracking window (120 seconds). Standalone webshell access without a preceding detected exploit will be missed.
- ·The vulnerability affects only Command Center Innovation Release versions 11.38.0 through 11.38.20; fixed versions are 11.38.20 with SP38-CU20-433/SP38-CU20-436 and 11.38.25 with SP38-CU25-434/SP38-CU25-438 — detections should be scoped to unpatched instances. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6q9c-pjw5-5rjm: A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expande
ghsa_unreviewed·2025-04-22
CVE-2025-34028 [CRITICAL] CWE-22 GHSA-6q9c-pjw5-5rjm: A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expande
A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution.
This issue affects Command Center Innovation Release: 11.38.
VulnCheck
Commvault Command Center Path Traversal Vulnerability
vulncheck·2025·CVSS 9.3
CVE-2025-34028 [CRITICAL] CWE-22 Commvault Command Center Path Traversal Vulnerability
Commvault Command Center Path Traversal Vulnerability
Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code.
Affected: Commvault Command Center
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-04-30&host_type=src&vulnerability=cve-2025-34028; https://fortiguard.fortinet.com/outbreak-alert/commvault-cc-path-traversal; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-02&host_type=src&vulnerability=cve-2025-34028; https://www.cisa.g
CISA
Commvault Command Center Path Traversal Vulnerability
cisa·2025-05-02·CVSS 9.3
CVE-2025-34028 [CRITICAL] CWE-22 Commvault Command Center Path Traversal Vulnerability
Vulnerability: Commvault Command Center Path Traversal Vulnerability
Affected: Commvault Command Center
Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-34028
Remediation Due Date: 2025-05-23
Suricata
ET WEB_SPECIFIC_APPS Commvault Pre-Auth RCE via deployServiceCommcell.do (CVE-2025-34028)
suricata·2025-04-24·CVSS 9.3
CVE-2025-34028 [CRITICAL] ET WEB_SPECIFIC_APPS Commvault Pre-Auth RCE via deployServiceCommcell.do (CVE-2025-34028)
ET WEB_SPECIFIC_APPS Commvault Pre-Auth RCE via deployServiceCommcell.do (CVE-2025-34028)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Commvault Pre-Auth RCE via deployServiceCommcell.do (CVE-2025-34028)"; flow:established,to_server; xbits:set,ET.CVE-2025-34028,track ip_dst,expire 120; http.method; content:"POST"; http.uri; bsize:39; content:"/commandcenter/deployServiceCommcell.do"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|servicePack|22|"; content:"Content-Type|3a 20|text/plain"; within:50; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|"; content:".zip|22|"; within:100; content:"Content
Suricata
ET WEB_SPECIFIC_APPS Commvault Pre-Auth SSRF/RCE via deployWebpackage.do (CVE-2025-34028)
suricata·2025-04-24·CVSS 9.3
CVE-2025-34028 [CRITICAL] ET WEB_SPECIFIC_APPS Commvault Pre-Auth SSRF/RCE via deployWebpackage.do (CVE-2025-34028)
ET WEB_SPECIFIC_APPS Commvault Pre-Auth SSRF/RCE via deployWebpackage.do (CVE-2025-34028)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Commvault Pre-Auth SSRF/RCE via deployWebpackage.do (CVE-2025-34028)"; flow:established,to_server; xbits:set,ET.CVE-2025-34028,track ip_dst,expire 120; http.method; content:"POST"; http.uri; bsize:34; content:"/commandcenter/deployWebpackage.do"; fast_pattern; http.request_body; content:"commcellName|3d|"; content:"servicePack|3d|"; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"version|3d|"; reference:cve,2025-34028; reference:url,labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/; classtype:attempted-admin; sid:2061837; rev:1; meta
Suricata
ET MALWARE Commvault Pre-Auth RCE (CVE-2025-34028) Post-Exploitation Activity (jsp webshell)
suricata·2025-04-24·CVSS 9.3
CVE-2025-34028 [CRITICAL] ET MALWARE Commvault Pre-Auth RCE (CVE-2025-34028) Post-Exploitation Activity (jsp webshell)
ET MALWARE Commvault Pre-Auth RCE (CVE-2025-34028) Post-Exploitation Activity (jsp webshell)
Rule: alert http any any -> $HOME_NET any (msg:"ET MALWARE Commvault Pre-Auth RCE (CVE-2025-34028) Post-Exploitation Activity (jsp webshell)"; flow:established,to_server; xbits:isset,ET.CVE-2025-34028,track ip_dst; http.uri; content:"/reports/MetricsUpload"; fast_pattern; startswith; content:".jsp"; distance:0; reference:url,labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/; reference:cve,2025-34028; classtype:trojan-activity; sid:2061839; rev:1; metadata:affected_product Commvault, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_04_24, cve CVE_2025_34028, deployment Perimeter, deployment Internal, performance_impact Low, c
Nuclei
Commvault - SSRF via /commandcenter/deployWebpackage.do
nuclei·CVSS 9.3
CVE-2025-34028 [CRITICAL] Commvault - SSRF via /commandcenter/deployWebpackage.do
Commvault - SSRF via /commandcenter/deployWebpackage.do
A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38.
Template:
id: CVE-2025-34028
info:
name: Commvault - SSRF via /commandcenter/deployWebpackage.do
author: DhiyaneshDk,abhishekrautela
severity: critical
description: |
A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38.
impact: |
Unauthenticated attackers c
Checkpoint
26th May – Threat Intelligence Report
blogs_checkpoint·2025-05-26
CVE-2025-4918 26th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 26th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 26th May, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cellcom, a Wisconsin-based wireless provider, has been impacted by a cyberattack that resulted in widespread outages of voice and SMS services beginning on May 14, 2025. The incident disrupted communication for customers across Wisconsin and Upper Michigan, leaving them unable to make phone calls or send text messages. No threat
Wiz
Crying Out Cloud Newsletter - May 2025 | Wiz
blogs_wiz·2025-05-01·CVSS 10.0
CVE-2025-32433 [CRITICAL] Crying Out Cloud Newsletter - May 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
Here are our top picks of cloud security highlights!
Hype or no hype – Critical Vulnerability in Erlang/OTP SSH Implementation
CVE-2025-32433 is a critical vulnerability (CVSS 10.0) in the Erlang/Open Telecom Platform (OTP) SSH implementation that allows unauthenticated remote attackers to execute arbitrary code by exploiting flaws in how the SSH protocol sequence is handled. Specifically, the vulnerability stems from the improper enforcement of message ordering, enabling attackers to send malicious SSH protocol messages before authentication and gain code executi
Greynoiseio
NoiseLetter April 2025
blogs_greynoiseio
NoiseLetter April 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://documentation.commvault.com/securityadvisories/CV_2025_04_1.htmlhttps://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/https://www.vulncheck.com/advisories/commvault-command-center-innovation-release-unauthenticated-install-package-path-traversalhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34028
2025-04-22
Published
2025-05-02
Added to CISA KEV
Exploited in the wild