Description

A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution.

A PoC exists for this vulnerability.

This issue affects Command Center Innovation Release: 11.38.

Known Exploited

🚨 Marked as known exploited on May 2nd, 2025 (about 1 month ago).

Classification

CVE ID: CVE-2025-34028

CVSS Base Severity: CRITICAL

CVSS Base Score: 10.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Affected Products

Vendor: Commvault

Product: Command Center Innovation Release

Nuclei Template

http/cves/2025/CVE-2025-34028.yaml

Exploit Prediction Scoring System (EPSS)

EPSS Score: 63.86% (probability of being exploited)

EPSS Percentile: 98.29% (scored less or equal to compared to others)

EPSS Date: 2025-05-21 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-34028
https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html
https://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028

Timeline