Follow-Up: Commvault Updates Advisory With Fixed Versions for Critical Commvault Command Center Vulnerability (CVE-2025-34028)

Update – Since our last security bulletin, Commvault has clarified that being on versions 11.38.20 or 11.38.25 alone is not sufficient—particular updates within those versions must be installed to fully apply the fix for CVE-2025-34028. This update was made on May 7, 2025. Additionally, the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on May 2, 2025. 

In late April, Arctic Wolf published a security bulletin addressing CVE-2025-34028, a maximum-severity vulnerability in Commvault Command Center that allows unauthenticated remote threat actors to achieve Remote Code Execution (RCE) on affected instances. Commvault Command Center is a web-based interface used to manage data protection, backup, and recovery operations across enterprise environments. Technical details and a proof-of-concept (PoC) exploit for CVE-2025-34028 were also made publicly available in April. 

The flaw stems from an issue in the deployWebpackage.do endpoint, which enables a pre-authenticated Server-Side Request Forgery (SSRF) due to insufficient host filtering. This can be escalated to code execution by leveraging a malicious ZIP archive containing a JavaServer Pages (JSP) file. 

Threat actors—particularly ransomware groups—have previously targeted similar data protection products due to their critical role in backup and recovery operations. Given the potential level of access and the low barrier to entry due to the publicly available PoC, threat actors are likely to further target this vulnerability in the near future. 

Recommendations 

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers download the additional updates for the respective fixed versions. 

Please follow your organization’s patching and testing guidelines to minimize potential operational impact. 

Remove Publicly-Exposed Instances of Commvault Command Center from the Public Internet

Since Commvault Command Center is intended as an internal management service that should not be accessed from the public internet, ensure that the service is not listening on the internet where it may be subject to exploitation of CVE-2025-34028 or other potential vulnerabilities. 

Note: Exact firewall configuration instructions will vary depending on the hardware used. Please refer to your firewall’s documentation as required. 

References 

• Commvault Security Advisory

• watchTowr Technical Details

• PoC Exploit

• CISA Adds CVE-2025-34028 to KEV Catalog 

• Arctic Wolf Security Bulletin (CVE-2025-34028)

Resources

Understand the threat landscape, and how to better defend your organization, with the 2025 Arctic Wolf Threat Report

See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster