Enterprises utilizing Commvault Innovation Launch are urged to patch instantly in opposition to CVE-2025-34028. This crucial flaw permits attackers to run code remotely and achieve full management.
A extreme safety vulnerability has been found within the Commvault Command Heart, a extensively adopted answer for enterprise backup and information administration. This flaw, tracked as CVE-2025-34028 and assigned a crucial severity rating of 9.0 out of 10, may permit distant attackers to execute any code they want on weak Commvault installations without having to log in.
The damaging weak point was found and responsibly reported on April 7, 2025, by Sonny Macdonald, a researcher with watchTowr Labs. Their evaluation revealed that the vulnerability lies inside a selected net interface part named “deployWebpackage.do.”
This endpoint is prone to a pre-authenticated Server-Aspect Request Forgery (SSRF) assault resulting from an absence of correct validation on the exterior servers the Commvault system is permitted to work together with.
Commvault itself acknowledged the problem in a safety advisory launched on April 17, 2025, stating that this flaw “may lead to an entire compromise of the Command Heart surroundings,” doubtlessly exposing delicate information and disrupting crucial operations.
Nevertheless, the SSRF vulnerability is simply the place to begin to reaching full code execution. Analysis revealed that attackers can additional exploit this by sending a specifically crafted ZIP archive containing a malicious “.JSP” file, tricking the Commvault server into fetching it from a server managed by the attacker. The contents of this ZIP are then extracted to a brief listing, a location the attacker can affect.
By cleverly manipulating the “servicePack” parameter in subsequent requests, the attacker can scan the system’s directories, transferring their malicious “.JSP" file right into a publicly accessible location, akin to “../../Studies/MetricsUpload/shell.” Lastly, by triggering the SSRF vulnerability once more, the attacker can execute their “.JSP” file from this accessible location, successfully operating arbitrary code on the Commvault system.
Nevertheless, on this case, the ZIP file isn’t learn in a typical approach. As a substitute, it’s learn from a “multipart request” earlier than the weak a part of the software program processes. This might permit hackers to bypass safety measures which may block regular net requests.
WatchTowr Labs reported the safety subject to Commvault, which rapidly addressed it with a patch. The patch was launched on April 10, 2025, and the problem was later disclosed on April 17, 2025.
Commvault confirmed that the issue solely affected the “Innovation Launch” software program model 11.38.0 to 11.38.19 for Linux and Home windows computer systems, subsequently, the replace to model 11.38.20 or 11.38.25 will resolve the problem. watchTowr Labs has additionally created a “Detection Artefact Generator” to assist directors establish programs uncovered to CVE-2025-34028.
This analysis highlights that backup programs are changing into high-value targets for cyberattacks. These programs are essential for restoring normalcy after an assault, and if they’re managed, they pose a big risk primarily as a result of these programs typically comprise secret usernames and passwords for essential firm pc elements. The severity of the flaw emphasises the necessity for swift safety updates for information safety and backup infrastructure to make sure optimum safety from such assaults.
Agnidipta Sarkar, VP CISO Advisory, ColorTokens, commented on the newest improvement, stating, This CVSS 10 flaw permits unauthenticated distant code execution, risking full compromise of Commvault’s Command Heart. Fast, sustained mitigation is important. If full community shutdown isn’t possible, instruments like Xshield Gatekeeper can rapidly isolate crucial programs. With out motion, the specter of ransomware and information loss is extreme.
