CVE-2025-34028 is a critical security vulnerability identified in Commvault's Command Center Innovation Release, specifically affecting versions 11.38.0 through 11.38.20. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) combined with CWE-306 (Missing Authentication for Critical Function). It allows an unauthenticated attacker to upload ZIP files that represent installation packages. When these ZIP files are extracted by the vulnerable server, the path traversal flaw enables the attacker to write files outside the intended directory structure. This can be exploited to deploy malicious JSP (JavaServer Pages) files, which can then be executed remotely, resulting in remote code execution (RCE). The vulnerability requires no authentication or user interaction, making it highly exploitable over the network. The CVSS v3.1 base score is 9.3 (critical), reflecting the ease of exploitation and the severe impact on confidentiality, integrity, and availability. The vulnerability has been addressed in Commvault Command Center Innovation Release versions 11.38.20 (with patches SP38-CU20-433 and SP38-CU20-436) and 11.38.25 (with patches SP38-CU25-434 and SP38-CU25-438). No public exploits have been reported yet, but the vulnerability's nature and severity make it a high priority for remediation. The flaw stems from insufficient validation and sanitization of file paths during ZIP extraction, allowing attackers to escape restricted directories and place malicious code in executable locations.

The impact of CVE-2025-34028 is severe for organizations using affected versions of Commvault Command Center Innovation Release. Successful exploitation allows unauthenticated attackers to execute arbitrary code remotely, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, disruption of backup and data management operations, and potential lateral movement within the network. Given Commvault's role in enterprise data protection and backup, exploitation could undermine data integrity and availability, causing significant operational and financial damage. The lack of authentication and user interaction requirements increases the risk of automated attacks and worm-like propagation. Organizations may face data breaches, ransomware deployment, or persistent backdoors. The vulnerability also poses risks to compliance with data protection regulations due to potential unauthorized data access and system manipulation.

To mitigate CVE-2025-34028, organizations should immediately upgrade Commvault Command Center Innovation Release to version 11.38.20 or later, applying the specific patches SP38-CU20-433, SP38-CU20-436, SP38-CU25-434, or SP38-CU25-438 as appropriate. Until patches are applied, restrict network access to the Command Center interface to trusted IPs and implement strict firewall rules to limit exposure. Monitor logs for suspicious ZIP file uploads or unexpected file extraction activities. Employ application-layer filtering or web application firewalls (WAFs) to detect and block malicious payloads targeting the upload functionality. Conduct thorough audits of file system permissions to ensure that the application runs with the least privilege necessary, limiting the impact of any potential exploitation. Additionally, implement network segmentation to isolate backup infrastructure from critical production systems. Regularly review and update incident response plans to include scenarios involving remote code execution via path traversal vulnerabilities.