CVE-2025-34028 Detection: A Maximum-Severity Vulnerability in the Commvault Command Center Enables RCE
Table of contents:
Following the CVE-2025-30406 disclosure, an RCE flaw in the widely used Gladinet CentreStack and Triofox platforms, another highly critical vulnerability that could also allow remote execution of arbitrary code without authentication, is coming to the scene. The flaw, tracked as CVE-2025-34028, has been recently uncovered in the Command Center installation, which could lead to a full system takeover.
Detect CVE-2025-34028 Exploitation Attempts
Last year saw an average of 115 vulnerabilities disclosed each day—and 2025 is already on track to surpass that pace, with 15,423 CVEs identified so far. To effectively mitigate risk, security teams must focus on early identification and rapid response strategies that stay ahead of emerging threats exploiting newly disclosed vulnerabilities.
Register for SOC Prime Platform and access a set of curated Sigma rules addressing CVE-2025-34028 exploitation attempts along with a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just hit the Explore Detections button below to immediately drill down to a relevant detection stack.
All the rules are compatible with multiple SIEM, EDR, and Data Lake technologies, and mapped to MITRE ATT&CK® to streamline threat investigation. Additionally, each rule is enriched with extensive metadata, including CTI references, attack timelines, audit configurations, triage recommendations, and more.
Cyber defenders seeking more relevant content to detect cyber-attacks weaponizing trending vulnerabilities might access the whole сollection of the relevant detection algorithms by searching Threat Detection Marketplace with the “CVE” tag.
CVE-2025-34028 Analysis
Commvault has recently issued a security advisory for a maximum-severity vulnerability in its Command Center rated 10.0 on the CVSS scale. The flaw, identified as CVE-2025-34028, affects versions 11.38.0 through 11.38.19 of the 11.38 Innovation Release and has been patched in versions 11.38.20 and 11.38.25.
Researchers at watchTowr Labs who identified and reported the vulnerability on April 7, 2025, stated that attackers could weaponize the flaw to gain RCE without prior authentication. More specifically, the vulnerability lies in the “deployWebpackage.do” endpoint, which allows pre-authenticated SSRF due to a lack of host validation.
The infection chain starts by sending a request to fetch a malicious ZIP file from an external server. The ZIP is further unpacked into a temporary directory. Using path traversal in the servicePack parameter, attackers move the contents to a web-accessible directory. Finally, adversaries execute the malicious .jsp shell file, achieving RCE, which could potentially result in a full system compromise. The watchTowr Labs researchers have published a Detection Artefact Generatora with a CVE-2025-34028 PoC on GitHub, which works by uploading a ZIP archive with a .jsp file. Once uploaded, the latter is extracted to a publicly accessible directory, and the system user information is revealed in the response. It can help security teams assess whether their instance is affected by the security issue and is prone to exploitation.
The vendor urges immediate upgrades as CVE-2025-34028 mitigation measures. Since the flaw poses a serious risk to affected environments, ultra-responsiveness from defenders is of paramount value. By relying on SOC Prime Platform, security teams can always stay ahead of emerging threats and proactively defend against diverse CVE exploitation attempts while building a robust cybersecurity posture.
