.webp "Commvault RCE Vulnerability")
Security researchers at watchTowr have disclosed a critical remote code execution (RCE) vulnerability in Commvault's backup and recovery software, tracked as CVE-2025-34028. The vulnerability affects Commvault's Innovation Release versions 11.38.0 through 11.38.19 and has been patched in version 11.38.20.
The flaw allows unauthenticated attackers to execute arbitrary code on affected systems by exploiting a server-side request forgery (SSRF) vulnerability chained with an arbitrary file write issue. Researchers discovered that the pre-authenticated endpoint "/commandcenter/deployWebpackage.do" could be manipulated to fetch a malicious ZIP file from an attacker-controlled server.
"Backup and Replication solutions have become prime targets for ransomware operators for logical reasons," the researchers noted in their disclosure. "These solutions aren't just valuable for the data they protect. Due to their automation and integration features, they often store credentials for privileged accounts across entire environments."
The attack works by sending an HTTP request to the vulnerable endpoint, coercing the Commvault instance to download a ZIP file containing malicious JSP code from an external server. The contents are then unzipped to a directory accessible without authentication, allowing the attacker to execute the malicious code.
A parallel vulnerability was also identified in another endpoint, "deployServiceCommcell.do," which follows a similar exploitation pattern but uses multipart requests instead of external HTTP requests, potentially bypassing environments where external HTTP requests are restricted.
Commvault, which describes itself as a "Data Protection or Cyber Resilience solution," responded promptly to the disclosure. After being notified on April 7, 2025, the company patched the vulnerability and released an advisory on April 17, 2025.
WatchTower researchers have also disclosed similar vulnerabilities (CVE-2024-48248) in backup and replication platforms, such as Veeam and NAKIVO. Such vulnerabilities are particularly concerning as they target systems designed to be the last line of defense against ransomware attacks.
Administrators running Commvault's backup solution are advised to update to version 11.38.20 or later immediately to mitigate this security risk.