Enterprises utilizing Commvault Innovation Launch are urged to patch instantly towards CVE-2025-34028. This vital flaw permits attackers to run code remotely and achieve full management.
A extreme safety vulnerability has been found within the Commvault Command Heart, a broadly adopted answer for enterprise backup and information administration. This flaw, tracked as CVE-2025-34028 and assigned a vital severity rating of 9.0 out of 10, may enable distant attackers to execute any code they need on weak Commvault installations while not having to log in.
The damaging weak point was found and responsibly reported on April 7, 2025, by Sonny Macdonald, a researcher with watchTowr Labs. Their evaluation revealed that the vulnerability lies inside a particular net interface part named “deployWebpackage.do.”
This endpoint is prone to a pre-authenticated Server-Facet Request Forgery (SSRF) assault as a result of an absence of correct validation on the exterior servers the Commvault system is permitted to work together with.
Commvault itself acknowledged the difficulty in a safety advisory launched on April 17, 2025, stating that this flaw “may lead to a whole compromise of the Command Heart setting,” probably exposing delicate information and disrupting vital operations.
Nevertheless, the SSRF vulnerability is simply the start line to reaching full code execution. Analysis revealed that attackers can additional exploit this by sending a specifically crafted ZIP archive containing a malicious “.JSP” file, tricking the Commvault server into fetching it from a server managed by the attacker. The contents of this ZIP are then extracted to a brief listing, a location the attacker can affect.
By cleverly manipulating the “servicePack” parameter in subsequent requests, the attacker can scan the system’s directories, shifting their malicious “.JSP" file right into a publicly accessible location, comparable to “../../Stories/MetricsUpload/shell.” Lastly, by triggering the SSRF vulnerability once more, the attacker can execute their “.JSP” file from this accessible location, successfully operating arbitrary code on the Commvault system.
Nevertheless, on this case, the ZIP file is just not learn in a typical means. As a substitute, it’s learn from a “multipart request” earlier than the weak a part of the software program processes. This might enable hackers to bypass safety measures which may block regular net requests.
WatchTowr Labs reported the safety difficulty to Commvault, which shortly addressed it with a patch. The patch was launched on April 10, 2025, and the difficulty was later disclosed on April 17, 2025.
Commvault confirmed that the issue solely affected the “Innovation Launch” software program model 11.38.0 to 11.38.19 for Linux and Home windows computer systems, due to this fact, the replace to model 11.38.20 or 11.38.25 will resolve the difficulty. watchTowr Labs has additionally created a “Detection Artefact Generator” to assist directors establish programs uncovered to CVE-2025-34028.
This analysis highlights that backup programs are changing into high-value targets for cyberattacks. These programs are essential for restoring normalcy after an assault, and if they’re managed, they pose a big risk primarily as a result of these programs typically comprise secret usernames and passwords for essential firm pc components. The severity of the flaw emphasises the necessity for swift safety updates for information safety and backup infrastructure to make sure optimum safety from such assaults.
Agnidipta Sarkar, VP CISO Advisory, ColorTokens, commented on the newest improvement, stating, This CVSS 10 flaw permits unauthenticated distant code execution, risking full compromise of Commvault’s Command Heart. Fast, sustained mitigation is crucial. If full community shutdown isn’t possible, instruments like Xshield Gatekeeper can shortly isolate vital programs. With out motion, the specter of ransomware and information loss is extreme.
