Date of Disclosure (source): April 11, 2025 (watchTowr), CVE assigned on April 25, 2025
[Update] Date Reported as Actively Exploited (source): May 2, 2025 (CISA KEV)
CVE-2025-34028 is a critical remote code execution vulnerability affecting Commvault, an enterprise data backup software: specifically, the Command Center web application. The flaw is a pre-authentication command injection vulnerability in the /commandcenter/deployWebpackage.do endpoint. Successful exploitation can lead to unauthenticated remote code execution (RCE) with system privileges, giving attackers full control of the Command Center environment. Commvault notes: “Fortunately, other installations within the same system are not affected by this vulnerability.” A remote unauthenticated actor could send a specially crafted request to this endpoint to force a Commvault system to download and execute a ZIP file from an attacker-controlled server, thereby allowing for uploading and executing malicious files.
**Update to the below: CISA added CVE-2025-34028 to its Known Exploited Vulnerabilities (KEV) catalog on May 2, 2025 based on evidence of active exploitation.
At the time of publication, Censys is unaware of any reports of CVE-2025-34028 being actively exploited in the wild, although a public PoC is available. However, last week on April 28, 2025, CISA added a separate Commvault vulnerability, CVE-2025-3928, to its Known Exploited Vulnerabilities (KEV) catalog. Back in March, Commvault reported that a nation-state threat actor had exploited CVE-2025-3928 to breach its Microsoft Azure environment. They describe the issue as an unspecified vulnerability in Commvault Web Server that can be exploited by a remote, authenticated attacker. According to Commvault’s advisory, “Webservers can be compromised through bad actors creating and executing webshells.” However, the company emphasized that no unauthorized data access has been identified. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches for Commvault Web Server by May 19, 2025.
Unpatched Commvault systems – particularly those that remain publicly internet-facing – appear to be a target. Organizations are strongly urged to patch immediately or isolate their Command Center web application interfaces from the public internet.
| Field | Details | |||||
|---|---|---|---|---|---|---|
| CVE-ID | CVE-2025-34028 — CVSS 10.0 (critical) — assigned by VulnCheck | |||||
| Vulnerability Description | A pre-authentication command injection vulnerability exists in the Commvault Command Center web interface, allowing unauthenticated attackers to achieve remote code execution (RCE) with SYSTEM privileges by sending crafted requests to the /commandcenter/deployWebpackage.do endpoint. | |||||
| Date of Disclosure | April 11, 2025 (watchTowr) | |||||
| Affected Assets | Commvault servers; specifically web-facing services exposing the /commandcenter/deployWebpackage.do endpoint. | |||||
| Vulnerable Software Versions | Commvault Windows and Linux 11.38.0 – 11.38.19 | |||||
| PoC Available? | Proof-of-concept (PoC) exploit code has been publicly released by watchTowr Labs. | |||||
| Exploitation Status | This vulnerability is actively exploited in the wild. Commvault has confirmed exploitation in a limited number of corporate environments, with attackers deploying credential scraping tools post-exploitation. | |||||
| Patch Status | Commvault has patched this vulnerability in version 11.38.20. Organizations are urged to update immediately. Additional mitigation advice for temporarily disabling the vulnerable service is provided in Commvault’s official advisory. | |||||
Censys Perspective
As of this writing, Censys has observed 3,084 exposed Commvault Servers exposed to the internet, primarily concentrated in the United States, India, and Germany.
The queries below can be used to identify internet-facing instances of Commvault software, but they are not necessarily vulnerable to the exploit.
host.services:(cert.parsed.issuer.common_name={"COMMVAULT", "cv2"} or endpoints.http.headers:(key:"Location" and value:"/commandcenter/") or endpoints.http.headers:(key:"Server" and value:"Commvault WebServer") or endpoints.http.html_title={"Command Center", "Comvault®"} or endpoints.http.uri:"/commandcenter/" or cert.parsed.subject.organization="CommVault Systems, Inc.")services: (tls.certificates.leaf_data.issuer.common_name= {"COMMVAULT", "cv2"} or http.response.headers: (key:"Location" and value.headers: "/commandcenter/") or http.response.headers: (key:"Server" and value.headers: "Commvault WebServer") or http.response.html_title= {"Command Center", "Comvault®"} or http.request.uri: "/commandcenter/" or tls.certificates.leaf_data.subject.organization="CommVault Systems, Inc.")host.services:(tls.certificate.parsed.issuer.common_name={"COMMVAULT", "cv2"} or http.response.headers:(key:"Location" and value:"/commandcenter/") or http.response.headers:(key:"Server" and value:"Commvault WebServer") or http.response.html_title={"Command Center", "Comvault®"} or http.request.uri:"/commandcenter/" or tls.certificate.parsed.subject.organization="CommVault Systems, Inc.")