Commvault Command Center has a critical security flaw

FlyD via Unsplash
Commvault Command Center has a critical security flaw, potentially enabling the execution of arbitrary code on affected installations. This could led to a total compromise of the Command Center environment.
The flaw was discovered by watchTowr Labs researcher Sonny Macdonald, who claims it could be leveraged to enact pre-authenticated remote code execution. The issue is caused by an endpoint called deployWebpackage.do, setting off a pre-authenticated Server-Side Request Forgery (SSRF).
This flaw is tracked as CVE-2025-34028 and has a CVSS score of 9.0 out of 10.0.
Security leaders weigh in
Eric Schwake, Director of Cybersecurity Strategy at Salt Security:
This Commvault vulnerability underscores a significant risk: attackers can exploit weak API endpoints to gain extensive access to sensitive systems. The threat resides in the possibility of pre-authenticated remote code execution on systems that are often crucial to an organization's data protection framework. A breach here could result in widespread data leaks, ransom demands for encrypted backups, or total control over recovery processes. To prevent such attacks, it is essential to implement stringent API security measures that focus on identifying and understanding the behavior of all API endpoints, including those used by critical infrastructure like backup systems. It is vital to enforce strict input validation and ensure strong authentication and authorization controls for all API functions, particularly those that manage file uploads or external connections. Additionally, continuous monitoring of API traffic is necessary to spot unusual activity that may indicate attempts to exploit these essential interfaces.
Thomas Richards, Infrastructure Security Practice Director at Black Duck:
A vulnerability like this could lead to an immediate compromise of the host running the Command Center software. Sensitive information could be exposed and the host system could be used for nefarious purposes. Users of Commvault should patch their installation immediately and begin forensic examination to determine if their instance was exploited. If the instance was exposed to the internet, at all, firewall restrictions should be put in place to control who can access it. SSRF vulnerabilities are rather difficult to discover but they can cause significant damage. Commvault should review their secure coding guidelines and threat modeling processes to prevent vulnerabilities like this from occurring again.
Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens:
This severity level CVSS 10 flaw does allow unauthenticated remote attackers to execute arbitrary code on affected systems without needing any credentials, which can lead to remote code execution. That this can lead to a complete compromise of the Command Center, the central component of Commvault’s data protection infrastructure, poses a clear and present danger to digital systems. Enterprises must follow mitigation steps on an immediate and persistent mode, and if they cannot shut down full networks, they should use appliance-based microsegmentation systems, like the Xshield Gatekeeper, which can opt in critical infrastructure isolation in minutes. Otherwise, organizations could be looking at a severe impact, potentially leading to irrecoverable business and personal data impact, should some ransomware impact them.
Heath Renfrow, CISO and Co-founder at Fenix24:
The recently disclosed Commvault Command Center vulnerability (CVE-2025-34028), rated at a critical CVSS score of 9.0, is both technically serious and operationally significant for organizations relying on Commvault for backup and recovery.
What makes this vulnerability so dangerous is threefold:
- Pre-Authentication Exploitation: The flaw can be triggered before any authentication is required, meaning an attacker doesn’t need valid credentials to initiate the exploit — removing one of the primary barriers to entry.
- Remote Code Execution via SSRF + ZIP Upload: The chained attack method, from Server-Side Request Forgery to ZIP-based file deployment, enables full remote code execution. This effectively hands over server control to an external attacker, potentially allowing them to access or manipulate sensitive backup data or pivot deeper into the environment.
- Critical Infrastructure Exposure: Commvault is often deployed in environments managing critical infrastructure and disaster recovery. A compromise here could impact not just data integrity but also a company’s ability to recover from ransomware or system failure, turning a single flaw into a multi-vector crisis.
Preventive actions organizations should take immediately:
- Apply Patches Without Delay: Commvault has issued a patch in their April 17th advisory. All organizations should treat this as an emergency change window item and prioritize remediation.
- Restrict External Access: Temporarily restrict internet access to the Command Center interface via firewall rules or access controls until the patch has been applied and verified.
- Inspect for Indicators of Compromise (IOCs): Look for abnormal outbound requests to unknown ZIP sources, file writes in temp directories, or unauthorized access to the /reports/MetricsUpload path.
- Conduct a Configuration Audit: Ensure application isolation, segmentation of management interfaces, and logging of all Command Center interactions.
Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!