VDB
CVE-2025-34028
CVE-2025-34028
PUBLISHED
KEV
CVSS 9.300000190734863 CRITICAL
A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38.
EPSS 65.34% · 98.5th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H
EPSS Score
65.34%
98.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| commvault | commvault | 11.38.0, 11.38.0 |
| Commvault | Command Center Innovation Release | 11.38.0 |
Timeline
- Jan 20, 1970 CrowdSec Sighting
- Jan 21, 1970 CrowdSec Sighting
- Jan 21, 1970 CrowdSec Sighting
- Jan 21, 1970 CrowdSec Sighting
- Jan 21, 1970 CrowdSec Sighting
- Jan 21, 1970 CrowdSec Sighting
- Aug 12, 2021 CrowdSec Sighting
- Oct 21, 2021 CrowdSec Sighting
- Mar 8, 2022 CrowdSec Sighting
- Nov 8, 2022 CrowdSec Sighting
- Mar 9, 2023 CrowdSec Sighting
- Apr 5, 2023 CrowdSec Sighting
References
- https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html vendor-advisory
- https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/ exploit
- https://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028 exploit
- https://www.vulncheck.com/advisories/commvault-command-center-innovation-release-unauthenticated-install-package-path-traversal third-party-advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34028 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-34028 advisory
- https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028 url