Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity NewswireCybersecurity News

Commvault Command Center has a critical security flaw

By Jordyn Alger, Managing Editor
Three opened padlocks

FlyD via Unsplash

April 29, 2025

Commvault Command Center has a critical security flaw, potentially enabling the execution of arbitrary code on affected installations. This could led to a total compromise of the Command Center environment. 

The flaw was discovered by watchTowr Labs researcher Sonny Macdonald, who claims it could be leveraged to enact pre-authenticated remote code execution. The issue is caused by an endpoint called deployWebpackage.do, setting off a pre-authenticated Server-Side Request Forgery (SSRF). 

This flaw is tracked as CVE-2025-34028 and has a CVSS score of 9.0 out of 10.0. 

Security leaders weigh in 

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

This Commvault vulnerability underscores a significant risk: attackers can exploit weak API endpoints to gain extensive access to sensitive systems. The threat resides in the possibility of pre-authenticated remote code execution on systems that are often crucial to an organization's data protection framework. A breach here could result in widespread data leaks, ransom demands for encrypted backups, or total control over recovery processes. To prevent such attacks, it is essential to implement stringent API security measures that focus on identifying and understanding the behavior of all API endpoints, including those used by critical infrastructure like backup systems. It is vital to enforce strict input validation and ensure strong authentication and authorization controls for all API functions, particularly those that manage file uploads or external connections. Additionally, continuous monitoring of API traffic is necessary to spot unusual activity that may indicate attempts to exploit these essential interfaces.

Thomas Richards, Infrastructure Security Practice Director at Black Duck:

A vulnerability like this could lead to an immediate compromise of the host running the Command Center software. Sensitive information could be exposed and the host system could be used for nefarious purposes. Users of Commvault should patch their installation immediately and begin forensic examination to determine if their instance was exploited.  If the instance was exposed to the internet, at all, firewall restrictions should be put in place to control who can access it. SSRF vulnerabilities are rather difficult to discover but they can cause significant damage. Commvault should review their secure coding guidelines and threat modeling processes to prevent vulnerabilities like this from occurring again.

Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens:

This severity level CVSS 10 flaw does allow unauthenticated remote attackers to execute arbitrary code on affected systems without needing any credentials, which can lead to remote code execution. That this can lead to a complete compromise of the Command Center, the central component of Commvault’s data protection infrastructure, poses a clear and present danger to digital systems. Enterprises must follow mitigation steps on an immediate and persistent mode, and if they cannot shut down full networks, they should use appliance-based microsegmentation systems, like the Xshield Gatekeeper, which can opt in critical infrastructure isolation in minutes. Otherwise, organizations could be looking at a severe impact, potentially leading to irrecoverable business and personal data impact, should some ransomware impact them.

Heath Renfrow, CISO and Co-founder at Fenix24:

The recently disclosed Commvault Command Center vulnerability (CVE-2025-34028), rated at a critical CVSS score of 9.0, is both technically serious and operationally significant for organizations relying on Commvault for backup and recovery.

What makes this vulnerability so dangerous is threefold: 

  • Pre-Authentication Exploitation: The flaw can be triggered before any authentication is required, meaning an attacker doesn’t need valid credentials to initiate the exploit — removing one of the primary barriers to entry.
  • Remote Code Execution via SSRF + ZIP Upload: The chained attack method, from Server-Side Request Forgery to ZIP-based file deployment, enables full remote code execution. This effectively hands over server control to an external attacker, potentially allowing them to access or manipulate sensitive backup data or pivot deeper into the environment.
  • Critical Infrastructure Exposure: Commvault is often deployed in environments managing critical infrastructure and disaster recovery. A compromise here could impact not just data integrity but also a company’s ability to recover from ransomware or system failure, turning a single flaw into a multi-vector crisis.

Preventive actions organizations should take immediately:

  • Apply Patches Without Delay: Commvault has issued a patch in their April 17th advisory. All organizations should treat this as an emergency change window item and prioritize remediation.
  • Restrict External Access: Temporarily restrict internet access to the Command Center interface via firewall rules or access controls until the patch has been applied and verified.
  • Inspect for Indicators of Compromise (IOCs): Look for abnormal outbound requests to unknown ZIP sources, file writes in temp directories, or unauthorized access to the /reports/MetricsUpload path.
  • Conduct a Configuration Audit: Ensure application isolation, segmentation of management interfaces, and logging of all Command Center interactions.
KEYWORDS: vulnerability vulnerability assessment vulnerability management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jordynalger

Jordyn Alger is the managing editor for Security magazine. Alger writes for topics such as physical security and cyber security and publishes online news stories about leaders in the security industry. She is also responsible for multimedia content and social media posts. Alger graduated in 2021 with a BA in English – Specialization in Writing from the University of Michigan. Image courtesy of Alger

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Green padlock on keyboard

    MITRE Caldera security advisory warns of maximum severity flaw

    See More
  • Rendered computer with coding

    Hackers Can Take Control via SAP NetWeaver Flaw: SAP Security Analyst Discusses the Risks

    See More
  • Coding on monitor

    Configuration flaw puts ServiceNow Knowledge Base articles at risk

    See More

Related Products

See More Products
  • 9780367339456.jpg.jpg.jpg

    Cyber Strategy: Risk-Driven Security and Resiliency

  • 9780367030407.jpg

    National Security, Personal Privacy and the Law

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing