Enterprises and managed service providers globally are now facing urgent security concerns following the disclosure of a major pre-authenticated remote code execution (RCE) vulnerability in Commvault’s on-premise backup and recovery software.
The issue, tracked as CVE-2025-34028, has rocked the cybersecurity world, particularly after researchers published a fully working proof-of-concept (PoC) exploit.
With attackers actively probing for targets, organizations are being advised to act swiftly.
Commvault is recognized as a leading enterprise-grade solution for backup, recovery, and data resilience.
As businesses increasingly depend on such tools to defend against ransomware and data loss, their security is more crucial than ever. The recently discovered flaw compromises this very trust.
Researchers from watchTowr Labs, who previously analyzed similar products from vendors like Veeam and NAKIVO, unearthed the CVE-2025-34028 in Commvault’s Windows on-premise software (Innovation Release 11.38.20).
Their detailed analysis likened the vulnerability hunt to a cinematic heist, emphasizing the high stakes involved when backup systems themselves become targets—rendering “restore from backup” an unviable defense against ransomware if the backups are tainted.
Exploitation Details(CVE-2025-34028): From SSRF to RCE
The vulnerability resides in a pre-authenticated API endpoint, /commandcenter/deployWebpackage.do, designed for internal package deployments.
The endpoint, intended to accept three parameters (commcellName, servicePack, version), inadvertently allows unauthenticated external users to not only initiate internal requests—a classic Server-Side Request Forgery (SSRF)—but also manipulate filesystem paths through directory traversal in the servicePack parameter.
Attackers can leverage the flaw to:
- Make the Commvault server fetch and write arbitrary data from attacker-controlled hosts.
- Use crafted paths to drop files in sensitive directories.
- Ultimately, deploy a malicious zip archive containing webshells or other executable code, achieving remote code execution under the system’s context.
The researchers confirmed that, by exploiting SSRF and a lack of directory sanitization, arbitrary JavaServer Pages (JSP) files could be written and executed on the server—a complete compromise.
Proof-of-Concept Published, Exploitation Underway
A fully weaponized PoC is now public, dramatically lowering the barrier for attackers. Security teams have already observed scanning and exploitation attempts in the wild.
The criticality of CVE-2025-34028 cannot be overstated: If left unpatched, attackers can seize control of backup servers, steal credentials, exfiltrate sensitive archives, or launch ransomware attacks that disable recovery options.
Urgent Recommendations
- Patch Immediately: Commvault has issued security updates; all installations should be upgraded without delay.
- Monitor for Indicators: Organizations should look for unusual deployment requests, new files in web directories, or unexpected outbound traffic.
- Restrict Public Access: Where feasible, ensure backup management interfaces are not exposed to the internet.
The Commvault CVE-2025-34028 story serves as a stark reminder: Even the tools meant to protect against disaster can become entry points if software security is not maintained vigilantly.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!