Security researchers have identified a path traversal vulnerability in Commvault Command Center that allows unauthenticated actors to upload malicious ZIP files which, when expanded by the target server, can result in Remote Code Execution (RCE). A significant security vulnerability (CVE-2025-34028) has been discovered in Commvault Command Center Innovation Release, enabling unauthenticated attackers to execute arbitrary code remotely. This discovery follows several other security issues identified in Commvault products earlier this year, including a Critical Webserver Vulnerability (CV_2025_03_1) and SQL Injection Vulnerability (CV_2025_04_2), highlighting the importance of maintaining up-to-date security patches for data protection platforms. Consequently, successfully exploiting this vulnerability can lead to unauthorized access and execution of malicious commands,” security experts noted in their vulnerability analysis. The vulnerability, which carries a high CVSS score of 9.0, affects explicitly version 11.38 of the Command Center installation and could lead to complete system compromise if exploited. The vulnerability impacts Commvault deployments running on both Linux and Windows platforms, specifically versions 11.38.0 through 11.38.19. Organizations using these versions are strongly encouraged to update immediately to mitigate the risk of exploitation. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This critical flaw enables attackers to manipulate file paths in ways that compromise system integrity, potentially leading to unauthorized access and execution of malicious commands. However, if immediate updating isn’t feasible, security teams are advised to isolate Command Center installations from external network access until patches can be applied.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Apr 2025 02:20:10 +0000