A major remote code execution (RCE) vulnerability, CVE-2025-34028, has been discovered in Commvault’s on-premise backup and recovery software, posing serious risks to enterprises and managed service providers worldwide.
Commvault RCE – CVE-2025-34028
The flaw allows attackers to execute malicious code without authentication. After researchers released a working proof-of-concept exploit, threat actors began actively scanning for vulnerable systems.
Commvault, widely used for enterprise backup and data protection, now faces scrutiny as the flaw undermines trust in backup security. Experts warn that if backup systems are compromised, recovery from ransomware becomes nearly impossible.
CVE-2025-34028 Exploitation: From SSRF to RCE
A critical vulnerability has been found in Commvault’s on-premise software. The issue lies in an API endpoint (/commandcenter/deployWebpackage.do) meant for internal use. However, it can be accessed without authentication, allowing attackers to perform dangerous actions.
By exploiting this flaw, attackers can:
- Trick the server into making internal requests (SSRF).
- Use directory traversal to write files in sensitive locations.
- Upload and run malicious code like webshells, leading to full remote code execution (RCE).
Researchers showed that attackers can drop and execute arbitrary JSP files on the server, completely compromising it.
A working proof-of-concept is now public, and attackers are already scanning for vulnerable systems.
Urgent Steps to Stay Protected
- Update Now: Commvault has released security patches. All users should apply them right away.
- Watch for Suspicious Activity: Check for strange deployment requests, unknown files in web folders, or unusual outgoing traffic.
- Limit Internet Access: Keep backup tools and management panels off the public internet whenever possible.
This CVE-2025-34028 case is a clear warning — even security tools can become threats if not properly maintained.
Leave A Comment