Commvault Bug Exploited in the Wild Lands on CISA's Must-Patch List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) just added a seriously nasty security hole in Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog. Think of the KEV catalog as a "patch these now!" list. This move comes just a little over a week after the flaw was publicly revealed.

So, what's the deal? The vulnerability is tracked as CVE-2025-34028, and it's a big one – a CVSS score of 10.0! This is a path traversal bug that hits Commvault Command Center 11.38 Innovation Release, specifically versions 11.38.0 through 11.38.19. The good news? It's fixed in versions 11.38.20 and 11.38.25.

CISA says, "Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code." Yikes!

Basically, this flaw lets attackers upload ZIP files. When these files are unpacked on the server, they can run malicious code. Not good!

Cybersecurity firm watchTowr Labs, who found and reported the bug, explained that the problem lies in an endpoint called "deployWebpackage.do." This triggers a Server-Side Request Forgery (SSRF) before anyone even logs in! By using a ZIP file with a sneaky .JSP file inside, attackers can get code execution.

We don't yet know exactly how this vulnerability is being used in the wild. However, it's the second Commvault flaw to be actively exploited. The first was CVE-2025-3928 (CVSS score: 8.7), which was an unspecified issue in the Commvault Web Server allowing authenticated attackers to create and run web shells.

Commvault said last week that a small number of customers were affected by the earlier exploitation. They also emphasized that there was no unauthorized access to customer backup data.

Because CVE-2025-34028 is being actively exploited, Federal Civilian Executive Branch (FCEB) agencies *must* patch their systems by May 23, 2025. Consider this your friendly reminder to get patching!