Commvault warns of critical Command Center flaw

Commvault is warning customers of a critical vulnerability affecting Command Center, a web-based management console for its data protection and backup offerings.

The flaw, tracked as CV-2025-34028, could allow remote attackers to execute arbitrary code without authentication on affected Linux as well as Windows installations.

“This Commvault vulnerability underscores a significant risk: attackers can exploit weak API endpoints to gain extensive access to sensitive systems,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “The threat resides in the possibility of pre-authenticated remote code execution on systems that are often crucial to an organization’s data protection framework.”

Commvault is a widely used data protection, backup, and recovery software platform, with users like Amazon, Walmart, and Apple, that, if breached, can allow disruption to an organization’s backup operations, in addition to unauthorized access, lateral movement, and deployment of malware and ransomware.

SSRF flaw escalated to code execution

The vulnerability was reported by watchTowr Labs researcher Sonny Macdonald as a server-side request forgery (SSRF) issue in a pre-authenticated endpoint called deployWebpackage.do. Macdonald called it a “very straightforward pre-auth SSRF vulnerability, as there is no filtering limiting the hosts that can be communicated with.”

“SSRF vulnerabilities are rather difficult to discover, but they can cause significant damage,” said Thomas Richards, infrastructure security practice director at Black Duck. “Users of Commvault should patch their installation immediately and begin forensic examination to determine if their instance was exploited. If the instance was exposed to the internet at all, firewall restrictions should be put in place to control who can access it.”

SSRF — a flaw enabling attackers to trick a server into making unauthorized requests to internal or external systems — cannot (by itself) allow code execution. In this particular case, however, Macdonald built a PoC exploit to show how this pre-authenticated SSRF could be escalated to allow RCE.

The escalation is achieved by making use of a ZIP archive file containing a malicious .JSP file, which is retrieved and executed through the SSRF exploit.

Pre-authentication increases exploitability

Heath Renfrow, CISO and co-founder at FEnix24, told CSO that the vulnerability is both “technically serious” and “operationally significant” for organizations, for a number of reasons.

For starters, it enables pre-authentication exploitation, meaning that it can be triggered before any authentication is required, leading to high exploitability without the need for credentials. 

Additionally, the flaw exposes high-value targets owing to Commvault’s popularity. “Commvault is often deployed in environments managing critical infrastructure and disaster recovery,” Renfrow said. “A compromise here could impact not just data integrity but also a company’s ability to recover from ransomware or system failure, turning a single flaw into a multi-vector crisis.”

In its description of the flaw, Commvault said the vulnerability could lead to a complete compromise of the Command Center environment, although other installations within the same system are not affected. The CVSS 9.0 vulnerability affecting versions 11.38.0 and 11.38.19 was fixed by the company earlier this month, and patches were rolled out with the 11.38.20 update.

Isolating the Command Center installation from external network access is a workaround users can implement if updating isn’t an option for them, Commvault said.