Ethical Hacking News
A critical security flaw has been discovered in the Commvault Command Center, which allows remote attackers to execute arbitrary code without authentication. This vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0 and affects versions 11.38.0 through 11.38.19. Organizations are urged to apply necessary mitigations to safeguard against potential threats.
Cybersecurity experts have discovered a critical security flaw in Commvault Command Center (CVE-2025-34028) that allows remote attackers to execute arbitrary code without authentication. The vulnerability has a CVSS score of 9.0 and was reported by Towr Labs researcher Sonny Macdonald on April 7, 2025. The flaw is rooted in an endpoint called "deployWebpackage.do" that triggers a pre-authenticated Server-Side Request Forgery (SSRF) due to lack of filtering. The vulnerability affects versions 11.38.0-11.38.19 of Commvault Command Center and has been resolved in versions 11.38.20 and 11.38.25.
Cybersecurity experts have recently discovered a critical security flaw in the Commvault Command Center, which allows remote attackers to execute arbitrary code without authentication. This vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0, making it one of the most severe vulnerabilities in recent times.
The vulnerability was discovered by Towr Labs researcher Sonny Macdonald, who reported it on April 7, 2025. According to Macdonald's report, the flaw is rooted in an endpoint called "deployWebpackage.do," which triggers a pre-authenticated Server-Side Request Forgery (SSRF) due to the lack of filtering as to what hosts can be communicated with. This allows attackers to exploit the vulnerability to achieve pre-authenticated remote code execution.
To exploit this vulnerability, attackers would send an HTTP request to /commandcenter/deployWebpackage.do, causing the Commvault instance to retrieve a ZIP file from an external server. The contents of the ZIP file would then get unzipped into a .tmp directory under the attacker's control. Using the servicePack parameter, the attacker could traverse the .tmp directory into a pre-authenticated facing directory on the server, such as ../../Reports/MetricsUpload/shell. Finally, the attacker could execute the SSRF via /commandcenter/deployWebpackage.do and execute the shell from /reports/MetricsUpload/shell/.tmp/dist-cc/dist-cc/shell.jsp.
The vulnerability affects versions 11.38.0 through 11.38.19 of the Commvault Command Center, which is a backup and replication software used by many organizations. It has been resolved in versions 11.38.20 and 11.38.25.
This critical flaw highlights the importance of keeping software up-to-date and applying necessary mitigations to safeguard against potential threats. Vulnerabilities in backup and replication software like Veeam and NAKIVO have already come under active exploitation in the wild, making it essential for organizations to take immediate action to protect themselves.
In response to this vulnerability, Commvault has published an advisory on April 17, 2025, warning users of the potential risks. Towr Labs has also created a Detection Artefact Generator that organizations can use to determine if their instance is vulnerable to the vulnerability.
The discovery of this critical flaw serves as a reminder of the importance of robust security measures and the need for ongoing vigilance in the face of evolving cyber threats. As cybersecurity experts continue to work tirelessly to identify and mitigate vulnerabilities, it is essential for individuals and organizations alike to remain vigilant and proactive in protecting themselves against potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-Commvault-Command-Center-Enables-Remote-Code-Execution-ehn.shtml
https://thehackernews.com/2025/04/critical-commvault-command-center-flaw.html
https://nvd.nist.gov/vuln/detail/CVE-2025-34028
https://www.cvedetails.com/cve/CVE-2025-34028/
Published: Thu Apr 24 06:29:17 2025 by llama3.2 3B Q4_K_M
