A critical pre-authenticated Remote Code Execution (RCE) vulnerability affecting Commvault’s backup and data protection platform.
The vulnerability, tracked as CVE-2025-34028, could allow attackers to compromise enterprise backup systems without requiring authentication, potentially putting organizations’ most critical data at risk.
The vulnerability was discovered in Commvault’s “Innovation Release” versions 11.38.0 through 11.38.19 and has been patched in version 11.38.20.
.png
)
Critical Commvault Authentication Bypass Vulnerability
Researchers from watchTowr Labs discovered the flaw earlier this month and developed a proof-of-concept exploit that has now been publicly released.
The vulnerability exists in two pre-authenticated endpoints: deployWebpackage.do and deployServiceCommcell.do, which are part of Commvault’s web administration interface.
These endpoints are excluded from authentication requirements as specified in the application’s authSkipRules.xml configuration file.
“Backup and Replication solutions have become prime targets for ransomware operators for logical reasons,” the researchers explained.
“Ransomware loses its sting if you can simply restore from a backup but what is the sysadmin to do if the backup has also been compromised?”
| Risk Factors | Details |
| Affected Products | Commvault Command Center Innovation Release, versions 11.38.0 through 11.38.19 |
| Impact | Pre-authenticated Remote Code Execution (RCE) |
| Exploit Prerequisites | No authentication required. The attacker must be able to reach the vulnerable endpoints over the network. No user interaction is needed. |
| CVSS 3.1 Score | 10.0 (Critical) |
Commvault RCE Vulnerability – PoC Details
The exploit chain begins with an attacker sending an HTTP request to the vulnerable endpoint:
This request triggers a Server-Side Request Forgery (SSRF) vulnerability where the application fetches content from an attacker-controlled server. The vulnerability allows attackers to:
- Coerce the Commvault server to download a ZIP file from an external server
- Use path traversal via the servicePack parameter to place files inaccessible directories
- Unzip malicious JSP files to an executable location
- Access and execute the malicious code via the web interface
Commvault describes itself as a “Data Protection or Cyber Resilience solution” and is widely used by large enterprises, managed service providers (MSPs), and government agencies.
The researchers who discovered the vulnerability emphasized that backup and replication solutions aren’t just valuable for the data they protect.
Due to their automation and integration features, they often store credentials for privileged accounts across entire environments.
The vulnerability is particularly concerning given the critical role backup solutions play in organizations’ cybersecurity strategies, especially against ransomware threats.
Security teams should also review their Commvault deployments for signs of compromise, as the now-public exploit code could lead to increased exploitation attempts.
Organizations running affected versions of Commvault should immediately update to version 11.38.20 or later to mitigate this risk.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
