Commvault CVE-2025-34028 Added to CISA KEV After Active Exploitation Confirmed - The Hacker News

Commvault CVE-2025-34028 Added to CISA KEV After Active Exploitation Confirmed Ravie LakshmananMay 05, 2025Vulnerability / Zero-Day The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed. The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions 11.38.0 through 11.38.19. It has been addressed in versions 11.38.20 and 11.38.25. "Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code," CISA said. The flaw essentially permits an attacker to upload ZIP files that, when decompressed on the target server, could result in remote code execution. Cybersecurity company watchTowr Labs, which was credited with discovering and reporting the bug, said the problem resides in an endpoint called "deployWebpackage.do" that triggers a pre-authenticated Server-Side Request Forgery (SSRF), ultimately resulting in code execution when using a ZIP archive file containing a malicious .JSP file. It's currently not known in what context the vulnerability is being exploited, but the development makes it the second Commvault flaw to be weaponized in real-world attacks after CVE-2025-3928 (CVSS score: 8.7), an unspecified issue in the Commvault Web Server that allows a remote, authenticated attacker to create and execute web shells. The company revealed last week that the exploitation activity affected a small number of customers but noted that there has been no unauthorized access to customer backup data. In light of active exploitation of CVE-2025-34028, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by May 23, 2025, to secure their networks. Update Commvault, in an update to its advisory on May 6, 2025, said the vulnerability can be remediated by installing versions 11.38.20 or 11.38.25 alongside supplemental updates - 11.38.20, with the additional updates: SP38-CU20-433 and SP38-CU20-436 11.38.25, with the additional updates: SP38-CU25-434 and SP38-CU25-438 Security researcher Will Dormann, who found that deploying just 11.38.20 or 11.38.25 does not fix the flaw, said "I cannot think of a behavior that is more vindictive to their customers to botch language in an advisory so bad, and also to not bother bumping release versions for the fixes for a CVSS 10 EITW vulnerability." In a follow-up post on Mastodon, Dormann explained the issue further: "The 11.38 version of Commvault is what's referred to as the 'Innovation Release' of the software, where the expectation is that 'Pioneer customers' register with Commvault and are specifically approved to even see updates that are available." "The problem with this: Customers who fire up a Commvault 11.38 VM through Azure or the like did not [go] through the front door of registering with Commvault. As such, they would NOT SEE UPDATES AVAILABLE. This was ... not ideal." The security researcher also noted that Commvault changed the backend to provide the "Additional updates" that fix CVE-2025-34028 for those who use Azure or AWS via a manual download process. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, Commvault, cybersecurity, data protection, Path Traversal, remote code execution, software update, Vulnerability, zero-day Trending News OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps