CVE-2025-34028

Name of the Vulnerable Software and Affected Versions Commvault Command Center Innovation Release versions 11.38.0 through 11.38.19

Description A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue has been actively exploited, and it is recommended to patch immediately to prevent remote code execution. The vulnerability affects Commvault Command Center versions 11.38.0 to 11.38.19. Federal agencies have been directed to apply fixes by May 23, 2025.

Recommendations For Commvault Command Center Innovation Release versions 11.38.0 through 11.38.19, update to version 11.38.20 or 11.38.25 to resolve the vulnerability. As a temporary workaround, consider restricting access to the vulnerable endpoint until a patch is applied.