- 8 simple ways Mac users can better protect their privacy
- The best Galaxy Z Fold 5 cases 2025: Expert recommended
- Asia-Pacific hits 50% IPv6 capability
- Are sleep earbuds legit? I put these made by ex-Bose engineers to the test
- People are Googling fake sayings to see AI Overviews explain them - and it's hilarious
Highest-Risk Security Flaw Found in Commvault Backup Solutions
A new critical vulnerability has been found in Commvault, illustrating that backup and replication solutions are highly sought after by cyber threat actors due to their crucial role in data management.
On April 24, watchTowr published a report on a newly-discovered path traversal vulnerability in Commvault Command Center Innovation Release version 11.38 on Linux and Windows.
Commvault Command Center Innovation Release is a web-based management interface that provides a centralized platform for managing Commvault data protection and management operations.
When exploited, this flaw allows an unauthenticated actor to upload ZIP files and perform remote code execution (RCE), thus leading to a complete compromise of the Command Center environment.
The vulnerability was identified as CVE-2025-34028 and given the highest severity score, 10.0 (CVSS v3.1).
Commvault has released a fix for Commvault Command Center Innovation Release versions 11.38.20 and above.
Customers have been urged to apply the new versions as soon as possible. Commvault said that if installing the update is not feasible, customers should isolate the Command Center installation from external network access.
CVE-2025-34028 Disclosure Timeline
This vulnerability is due to improper limitation of a pathname to a restricted directory (also known as a path traversal flaw) in Commvault Command Center Innovation Release version 11.38.
It was discovered by watchTowr on April 7, which immediately contacted Commvault.
Commvault released a fix on April 10th and published a security advisory on April 17.
Upon watchTowr request, vulnerability intelligence firm VulnCheck, a CVE Numbering Authority (CNA), assigned the CVE-2025-34028 identifier to the vulnerability.
In its latest report, watchTowr shared a proof-of-concept (PoC) exploit for CVE-2025-34028.
Backup and replication solutions have been massively targeted lately for vulnerability exploits, as seen in recent attacks on solutions like Veeam and NAKIVO, highlighting the growing trend of threat actors focusing on these critical data management systems to gain unauthorized access and control.
Photo credits: T. Schneider/Shutterstock
