CVE-2025-34028 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-306 (Missing Authentication for Critical Function). It affects Commvault Command Center Innovation Release versions from 11.38.0 up to 11.38.20. The vulnerability allows an unauthenticated attacker to upload ZIP files intended as install packages. These ZIP files, when expanded by the target server, exploit a path traversal flaw that bypasses directory restrictions, enabling the attacker to write files outside the designated extraction directory. Specifically, the attacker can deploy malicious JSP (Java Server Pages) files that can be executed remotely, leading to Remote Code Execution (RCE). This means an attacker can execute arbitrary code on the server with the privileges of the Commvault service, potentially compromising the entire system. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The CVSS v3.1 base score is 9.3, indicating critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects the Command Center Innovation Release versions 11.38.0 through 11.38.20 and is remediated in version 11.38.20 with service packs SP38-CU20-433 and SP38-CU20-436, and in 11.38.25 with SP38-CU25-434 and SP38-CU25-438. No known exploits have been reported in the wild yet, but the vulnerability is publicly disclosed and should be treated as urgent. The flaw stems from insufficient validation and sanitization of file paths during ZIP extraction, allowing directory traversal sequences (e.g., ../) to escape the intended extraction directory and place malicious JSP files in executable web directories.

For European organizations, this vulnerability poses a significant threat, especially those relying on Commvault Command Center for backup, data management, and disaster recovery operations. Successful exploitation can lead to full system compromise, data theft, service disruption, and lateral movement within the network. Given that Commvault is often deployed in enterprise environments managing critical data, the impact includes potential loss of data integrity and availability, regulatory non-compliance (e.g., GDPR breaches), and reputational damage. The ability to execute arbitrary code remotely without authentication increases the risk of ransomware deployment or espionage activities. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly vulnerable due to the sensitive nature of their data and the strategic importance of their operations. The vulnerability could also be leveraged to pivot to other internal systems, amplifying the impact. The lack of known exploits in the wild provides a window for proactive mitigation, but the critical severity demands immediate action.

1. Immediate patching: Upgrade Commvault Command Center Innovation Release to version 11.38.20 or later with the specified service packs (SP38-CU20-433, SP38-CU20-436, SP38-CU25-434, SP38-CU25-438) to remediate the vulnerability. 2. Restrict network access: Limit access to the Command Center interface to trusted IP addresses and internal networks using firewalls and network segmentation to reduce exposure. 3. Implement Web Application Firewall (WAF) rules: Deploy WAF rules to detect and block suspicious ZIP uploads and path traversal attempts targeting the Command Center. 4. Monitor logs and alerts: Enable detailed logging of file upload activities and monitor for unusual ZIP extraction or JSP file creation events. 5. Harden server configurations: Disable or restrict execution of JSP files in directories where uploads occur, if feasible, to reduce the risk of code execution. 6. Conduct regular vulnerability scans and penetration tests focusing on backup infrastructure to detect similar issues. 7. Educate IT and security teams about this specific threat to ensure rapid detection and response. 8. Maintain offline backups and test recovery procedures to mitigate potential ransomware or data corruption scenarios resulting from exploitation.