CVE-2025-34028 is a critical security vulnerability identified in the Commvault Command Center Innovation Release versions 11.38.0 through 11.38.20. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal) combined with CWE-306 (Missing Authentication for Critical Function). This flaw allows an unauthenticated attacker to upload specially crafted ZIP files that represent install packages. When these ZIP files are expanded by the target server, the path traversal vulnerability enables the attacker to write files outside the intended directory structure. Specifically, the attacker can place malicious JSP (JavaServer Pages) files on the server, which can then be executed remotely, resulting in Remote Code Execution (RCE). The vulnerability is particularly severe because it requires no authentication (PR:N), no user interaction (UI:N), and can be exploited remotely over the network (AV:N). The scope is complete (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The CVSS v3.1 base score is 10.0, indicating the highest severity level. The vulnerability has been addressed in Commvault Command Center Innovation Release version 11.38.20 with specific service packs (SP38-CU20-433 and SP38-CU20-436) and in version 11.38.25 with SP38-CU25-434 and SP38-CU25-438. No known exploits are currently reported in the wild, but the critical nature of the flaw and the ease of exploitation make it a significant threat to organizations using affected versions.

For European organizations, the impact of CVE-2025-34028 can be substantial. Commvault is widely used in enterprise environments for data protection, backup, and recovery solutions. A successful exploitation could allow attackers to execute arbitrary code on backup management servers, potentially leading to full system compromise. This could result in unauthorized access to sensitive backup data, disruption of backup and recovery operations, and lateral movement within the network. Given the critical role of backup infrastructure in business continuity, exploitation could lead to data loss, prolonged downtime, and severe operational disruptions. Additionally, attackers could deploy ransomware or other malware via the compromised system, amplifying the damage. The lack of authentication requirement and remote exploitability increase the risk of widespread attacks, especially in environments where the Command Center is exposed to untrusted networks or insufficiently segmented. The vulnerability also poses compliance risks under European data protection regulations such as GDPR, as unauthorized access to backup data could lead to data breaches and regulatory penalties.

European organizations should prioritize immediate patching of affected Commvault Command Center Innovation Release installations. Specifically, upgrade to version 11.38.20 or later, applying the relevant service packs (SP38-CU20-433, SP38-CU20-436, SP38-CU25-434, SP38-CU25-438) to ensure the vulnerability is fully remediated. Until patches are applied, organizations should restrict network access to the Command Center interface by implementing strict firewall rules and network segmentation to limit exposure to untrusted networks. Employ Web Application Firewalls (WAFs) with rules designed to detect and block path traversal attempts and suspicious file uploads. Monitor logs for unusual ZIP file uploads or JSP file creations in the Command Center directories. Conduct thorough audits of backup servers to detect any unauthorized files or changes. Implement strict access controls and multi-factor authentication for administrative interfaces to reduce the risk of exploitation through other vectors. Finally, maintain an incident response plan tailored to backup infrastructure compromise scenarios to enable rapid containment and recovery if exploitation occurs.