- A critical-severity security flaw was found in Commvault Command Center
- It allows threat actors to run arbitrary code remotely and without authentication
- Vulnerability could lead to complete compromise
Cybersecurity researchers from watchTowr recently discovered a critical-severity flaw in Commvault Command Center that could allow threat actors to run arbitrary code remotely and without authentication.
Commvault Command Center is a web-based interface that provides centralized management for data protection, backup, recovery, and compliance across hybrid environments, used by thousands of companies worldwide across industries like healthcare, finance, government, and manufacturing.
The vulnerability is tracked as CVE-2025-34028, and has a severity score of 9.0/10 (critical).
Second increase
“A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication,” the security advisory said.
“This vulnerability could lead to a complete compromise of the Command Center environment. Fortunately, other installations within the same system are not affected by this vulnerability.”
Since this flaw allows remote attackers to execute arbitrary code without authentication, a threat actor could exploit it to gain unauthorized access to, for example, a government agency’s backup system.
Once inside, they could manipulate or delete sensitive data, disrupt operations, or install malware to maintain control.
This could lead to data breaches, operational downtime, and loss of public trust. Ultimately, if classified information ends up being exposed, it could turn into a national security issue.
Multiple versions are affected by the vulnerability: 11.38 Innovation Release, from versions 11.38.0 through 11.38.19. Users looking to mitigate the flaw should go for versions 11.38.20 and 11.38.25.
So far, there is no evidence of abuse in the wild, and there is no proof-of-concept (PoC) just yet. However, most threat actors aren’t looking for zero-day vulnerabilities, but are rather waiting for security researchers to find and patch a flaw.
They are betting that many users won’t patch their endpoints on time, remaining vulnerable and thus easily exploitable.
Via The Hacker News
