Enterprises and managed service providers globally are now facing urgent security concerns following the disclosure of a major pre-authenticated remote code execution (RCE) vulnerability in Commvault’s on-premise backup and recovery software.
The issue, tracked as CVE-2025-34028, has rocked the cybersecurity world, particularly after researchers published a fully working proof-of-concept (PoC) exploit.
With attackers actively probing for targets, organizations are being advised to act swiftly.
Commvault is recognized as a leading enterprise-grade solution for backup, recovery, and data resilience.
As businesses increasingly depend on such tools to defend against ransomware and data loss, their security is more crucial than ever. The recently discovered flaw compromises this very trust.
Researchers from watchTowr Labs, who previously analyzed similar products from vendors like Veeam and NAKIVO, unearthed the CVE-2025-34028 in Commvault’s Windows on-premise software (Innovation Release 11.38.20).
Their detailed analysis likened the vulnerability hunt to a cinematic heist, emphasizing the high stakes involved when backup systems themselves become targets—rendering “restore from backup” an unviable defense against ransomware if the backups are tainted.
The vulnerability resides in a pre-authenticated API endpoint, /commandcenter/deployWebpackage.do, designed for internal package deployments.
The endpoint, intended to accept three parameters (commcellName, servicePack, version), inadvertently allows unauthenticated external users to not only initiate internal requests—a classic Server-Side Request Forgery (SSRF)—but also manipulate filesystem paths through directory traversal in the servicePack parameter.
Attackers can leverage the flaw to:
The researchers confirmed that, by exploiting SSRF and a lack of directory sanitization, arbitrary JavaServer Pages (JSP) files could be written and executed on the server—a complete compromise.
Proof-of-Concept Published, Exploitation Underway
A fully weaponized PoC is now public, dramatically lowering the barrier for attackers. Security teams have already observed scanning and exploitation attempts in the wild.
The criticality of CVE-2025-34028 cannot be overstated: If left unpatched, attackers can seize control of backup servers, steal credentials, exfiltrate sensitive archives, or launch ransomware attacks that disable recovery options.
Urgent Recommendations
The Commvault CVE-2025-34028 story serves as a stark reminder: Even the tools meant to protect against disaster can become entry points if software security is not maintained vigilantly.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Claude AI, developed by Anthropic, has been exploited by malicious actors in a range of…
As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting U.S.…
Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the notorious…
MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool in…
Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks, leveraging…
A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term…