CVE-2025-34028 is a vulnerability in Commvault
Published on April 22, 2025
The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.
Known Exploited Vulnerability
This Commvault Command Center Path Traversal Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code.
The following remediation steps are recommended / required by May 23, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2025-34028 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2025-34028 has been classified to as a Directory traversal vulnerability or weakness.
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2025-34028
You can be notified by stack.watch whenever vulnerabilities like CVE-2025-34028 are published in these products:
What versions of Commvault are vulnerable to CVE-2025-34028?
Each of the following must match for the vulnerability to exist.