The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a maximum-severity safety flaw impacting Commvault Command Heart to its Recognized Exploited Vulnerabilities (KEV) catalog, a bit over every week after it was publicly disclosed.
The vulnerability in query is CVE-2025-34028 (CVSS rating: 10.0), a path traversal bug that impacts 11.38 Innovation Launch, from variations 11.38.0 by way of 11.38.19. It has been addressed in variations 11.38.20 and 11.38.25.
“Commvault Command Heart incorporates a path traversal vulnerability that enables a distant, unauthenticated attacker to execute arbitrary code,” CISA said.
The flaw basically permits an attacker to add ZIP information that, when decompressed on the goal server, may end in distant code execution.
Cybersecurity firm watchTowr Labs, which was credited with discovering and reporting the bug, said the issue resides in an endpoint referred to as “deployWebpackage.do” that triggers a pre-authenticated Server-Facet Request Forgery (SSRF), finally leading to code execution when utilizing a ZIP archive file containing a malicious .JSP file.
It is presently not identified in what context the vulnerability is being exploited, however the growth makes it the second Commvault flaw to be weaponized in real-world assaults after CVE-2025-3928 (CVSS rating: 8.7), an unspecified situation within the Commvault Internet Server that enables a distant, authenticated attacker to create and execute net shells.
The corporate revealed final week that the exploitation exercise affected a small variety of prospects however famous that there was no unauthorized entry to buyer backup knowledge.
In gentle of energetic exploitation of CVE-2025-34028, Federal Civilian Govt Department (FCEB) companies are required to use the required patches by Might 23, 2025, to safe their networks.
Source link