Security researchers are concerned about a serious bug in certain versions of Commvault’s Command Center. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary code on affected systems.
The vulnerability, designated CVE-2025-34028, affects versions 11.38.0 through 11.38.19 of Commvault on both Windows and Linux. Commvault fixed the issue in version 11.38.20, which should be installed automatically on affected systems without manual intervention.
However, experts emphasize that organizations should check that their systems are correctly configured to receive these automatic updates and that version 11.38.20 is actually running on their systems. They indicate that the Commvault environment must be correctly connected to the update system and that the configuration must not block updates.
Heath Renfrow, Chief Information Security Officer and co-founder of Fenix24, said in an email to Dark Reading that all organizations should treat this issue as urgent. It is also necessary that they prioritize implementing the solution. He states that organizations should temporarily restrict internet access to the Command Center interface via firewall rules or access management until the patch has been applied and verified.
Monitor abnormal outgoing requests
Renfrow also called for monitoring of abnormal outgoing requests to unknown ZIP sources, file creation in temporary folders, or unauthorized access to the /reports/MetricsUpload path. He further advised isolating applications, segmenting management interfaces, and logging all interactions with Command Center.
A researcher at watchTowr discovered the vulnerability. He reported it to Commvault on April 7. According to a blog post by watchTowr, it involves a simple Server-Side Request Forgery (SSRF) that can be exploited prior to authentication. There is no filter in place to restrict which hosts the server is allowed to contact.
SSRF allows an attacker to cause a server application to send unwanted requests to internal or external systems. This is the second serious vulnerability that watchTowr has recently found in backup software. Earlier this year, it reported an unauthenticated file-read vulnerability in Nakivo technology.
Commvault stated that an attacker exploiting CVE-2025-34028 could gain complete control over the Command Center environment. The company said the vulnerability only affects the 11.38 Innovation Release and has been fixed in versions 11.38.20 and 11.38.25. If installation of the update is not possible, the Command Center installation must be isolated from external networks. The update was released on April 17, while watchTowr officially disclosed the vulnerability this week.
WatchTowr developed a proof-of-concept exploit to demonstrate how an attacker could exploit the vulnerability. This involves sending an HTTP request to a vulnerable Command Center instance, which then retrieves a ZIP file containing a malicious file—in this case, a webshell—from an external server and activates it.
Direct access point for attackers
Vulnerabilities in software such as Commvault’s are particularly concerning because these applications are often embedded at the core of organizations’ IT infrastructure, with access to a wide range of business assets. Because these systems are designed to communicate with critical systems, sensitive data, and backup environments, they provide a direct access point for attackers who manage to execute a successful exploit.
Eric Schwake, director of cybersecurity strategy at Salt Security, said the risk of CVE-2025-34028 lies in the ability to execute external code without prior authentication on systems that are often critical to organizations’ data protection structures. According to him, a breach could lead to large-scale data leaks, ransom demands for encrypted backups, or complete control over recovery processes.
Renfrow indicated that the lack of authentication, Commvault’s central role in enterprise environments, and the chain attack developed by watchTowr based on ZIP files make this vulnerability particularly dangerous. He noted that this effectively gives an attacker complete server control, with the potential to access or manipulate sensitive backup data, or to penetrate deeper into the infrastructure.