CVE-2025-34028 is a path traversal vulnerability (CWE-22) combined with improper access control (CWE-306) in the Commvault Command Center Innovation Release, specifically versions 11.38.0 through 11.38.20. The vulnerability arises because the product allows unauthenticated actors to upload ZIP files representing install packages. When these ZIP files are expanded on the target server, the path traversal flaw enables the attacker to write files outside the intended directory structure. This can be exploited to deploy malicious JSP files, which the server may execute, resulting in remote code execution (RCE). The vulnerability requires no authentication or user interaction, making it highly exploitable over the network. The issue is addressed in versions 11.38.20 (with SP38-CU20-433 and SP38-CU20-436) and 11.38.25 (with SP38-CU25-434 and SP38-CU25-438). The CVSS 3.1 base score of 9.3 reflects the critical nature of the flaw, highlighting its ease of exploitation and severe impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the vulnerability's characteristics suggest it could be rapidly weaponized. The root cause is insufficient validation and sanitization of file paths during ZIP extraction, combined with lack of authentication controls on the upload functionality.

For European organizations, the impact of this vulnerability is severe. Commvault is widely used for data protection, backup, and disaster recovery, often in sectors such as finance, healthcare, government, and critical infrastructure. Successful exploitation could lead to full system compromise, data theft, ransomware deployment, or disruption of backup operations, severely affecting business continuity and data integrity. The ability to execute arbitrary code remotely without authentication increases the risk of widespread attacks, potentially impacting multiple organizations simultaneously. Given the critical nature of backup systems, exploitation could also undermine incident response and recovery efforts. Organizations handling sensitive or regulated data face additional compliance and reputational risks. The vulnerability's network-exploitable nature means attackers can target exposed Command Center instances directly, increasing the threat surface for European enterprises with internet-facing management consoles or insufficient network segmentation.

European organizations should immediately verify their Commvault Command Center version and apply the patches available in versions 11.38.20 (SP38-CU20-433, SP38-CU20-436) or 11.38.25 (SP38-CU25-434, SP38-CU25-438). If patching is not immediately possible, restrict network access to the Command Center upload functionality using firewalls or network segmentation to limit exposure. Implement strict input validation and file path sanitization controls where possible. Monitor logs for unusual upload activity or unexpected file creations, especially JSP files outside expected directories. Employ application-layer firewalls or intrusion detection systems to detect and block exploitation attempts. Conduct thorough audits of backup infrastructure to ensure no unauthorized files have been deployed. Educate IT and security teams about this vulnerability to prioritize remediation and incident response readiness. Finally, review and harden authentication and authorization controls around management interfaces to prevent unauthorized access.