CVE-2025-34028
Published: 22 April 2025
Summary
CVE-2025-34028 is a critical-severity Path Traversal (CWE-22) vulnerability in Commvault Commvault. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability CVE-2025-34028 is a path traversal flaw combined with missing authentication controls in the Commvault Command Center Innovation Release. It affects versions 11.38.0 through 11.38.20 and permits an unauthenticated actor to upload specially crafted ZIP files representing install packages; when the server expands these archives, an attacker can write malicious JSP files outside the intended directory, resulting in remote code execution.
An unauthenticated remote attacker can exploit the issue over the network by submitting a malicious ZIP through the Command Center interface. Successful exploitation grants the ability to place and execute arbitrary code on the target server, achieving full compromise of the affected Commvault instance with impacts to confidentiality, integrity, and availability.
Vendor advisories direct customers to apply the listed cumulative updates that resolve the flaw: SP38-CU20-433 or SP38-CU20-436 for the 11.38.20 branch and SP38-CU25-434 or SP38-CU25-438 for the 11.38.25 branch. Public references also include technical write-ups confirming the pre-authentication vector and a CISA entry listing the CVE in the Known Exploited Vulnerabilities catalog.
The EPSS score has reached a peak of 0.7164 with a current value of 0.6933, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12275
Vulnerability details
The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious…
more
JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.
- CWE(s)
- KEV Date Added
- 02 May 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before allowing ZIP upload and extraction operations that the CVE exploits without any credentials.
Requires validation of input data (ZIP archive entries) to block the path traversal sequences that write malicious JSP files outside intended directories.
Provides malicious-code scanning and blocking on uploaded install packages before server-side expansion and JSP execution can occur.