Cyber Resilience

CVE-2025-34028

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 April 2025

Published
22 April 2025
Modified
06 November 2025
KEV Added
02 May 2025
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.6933 98.7th percentile
Risk Priority 80 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34028 is a critical-severity Path Traversal (CWE-22) vulnerability in Commvault Commvault. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2025-34028 is a path traversal flaw combined with missing authentication controls in the Commvault Command Center Innovation Release. It affects versions 11.38.0 through 11.38.20 and permits an unauthenticated actor to upload specially crafted ZIP files representing install packages; when the server expands these archives, an attacker can write malicious JSP files outside the intended directory, resulting in remote code execution.

An unauthenticated remote attacker can exploit the issue over the network by submitting a malicious ZIP through the Command Center interface. Successful exploitation grants the ability to place and execute arbitrary code on the target server, achieving full compromise of the affected Commvault instance with impacts to confidentiality, integrity, and availability.

Vendor advisories direct customers to apply the listed cumulative updates that resolve the flaw: SP38-CU20-433 or SP38-CU20-436 for the 11.38.20 branch and SP38-CU25-434 or SP38-CU25-438 for the 11.38.25 branch. Public references also include technical write-ups confirming the pre-authentication vector and a CISA entry listing the CVE in the Known Exploited Vulnerabilities catalog.

The EPSS score has reached a peak of 0.7164 with a current value of 0.6933, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious…

more

JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.

CWE(s)
KEV Date Added
02 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

commvault
commvault
11.38.0 — 11.38.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before allowing ZIP upload and extraction operations that the CVE exploits without any credentials.

prevent

Requires validation of input data (ZIP archive entries) to block the path traversal sequences that write malicious JSP files outside intended directories.

preventdetect

Provides malicious-code scanning and blocking on uploaded install packages before server-side expansion and JSP execution can occur.

References