CVE-2025-34028
Commvault Command Center Path Traversal Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
5Exploited in Wild
YesDecision
Descriptions
A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38.
Una vulnerabilidad de path traversal en Commvault Command Center Innovation Release permite que un agente no autenticado cargue archivos ZIP que, al ser expandidos por el servidor objetivo, provocan la ejecución remota de código. Este problema afecta a Command Center Innovation Release: 11.38.
The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.
Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code.
CVSS Scores
SSVC
- Decision:Act
Timeline
- 2025-04-15 CVE Reserved
- 2025-04-22 CVE Published
- 2025-04-24 First Exploit
- 2025-05-02 Exploited in Wild
- 2025-05-07 CVE Updated
- 2025-05-09 EPSS Updated
- 2025-05-23 KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-306: Missing Authentication for Critical Function
CAPEC
- CAPEC-242: Code Injection
References (6)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html | 2025-04-23 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| - | - | - | - | - | ||||||