Commvault Releases Security Updates for Command Center
Updates address a critical path traversal vulnerability leading to remote code execution
Summary
Updates address a critical path traversal vulnerability leading to remote code execution
Affected platforms
The following platforms are known to be affected:
Threat details
CVE-2025-34028 exploited in-the-wild
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-34028 to the Known Exploited Vulnerabilities (KEV) catalogue.
Additionally, a proof-of-concept (PoC) exploit has been released for CVE-2025-34028. The NHS England National CSOC assess exploitation of this vulnerability as more likely.
Introduction
Commvault has released a security advisory to address a critical vulnerability in its Command Center Platform. Command Center is Commvault's all-in-one solution for managing Commvault services within a corporate environment.
CVE-2025-34028 is a path traversal vulnerability with a CVSSv3 base score of 10.0, and if exploited could allow an unauthenticated attacker to upload ZIP files. The ZIP files may then be expanded by the target server which could then result in remote code execution (RCE).
Threat updates
| Date | Update |
|---|---|
| 30 Apr 2025 | CVE-2025-34028 added to CISA's Known Exploited Vulnerabilities catalogue |
Remediation advice
Affected organisations are encouraged to review the Commvault security advisory CV_2025_04_1 and apply the relevant updates as soon as practicable.
Definitive source of threat updates
Last edited: 30 April 2025 10:56 am