A second Commvault flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog within a week, signaling increased threat actor interest in the platform.
Tracked as CVE-2025-34028 (CVSS score of 10/10), the issue is described as a path traversal flaw in Commvault Command Center that could be exploited without authentication for remote code execution (RCE).
An attacker could upload ZIP files that result in code execution when expanded by the server, a NIST advisory reads.
According to Commvault, the bug impacts Command Center versions 11.38.0 to 11.38.19 (only the Innovation Release), and was addressed with the release of versions 11.38.20 and 11.38.25 (Innovation Update releases).
“A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication. This vulnerability could lead to a complete compromise of the Command Center environment,” Commvault notes in its advisory.
While Commvault makes no mention of the security defect being exploited in the wild, the US cybersecurity agency CISA added CVE-2025-34028 to the KEV catalog on May 2.
CISA flagged the vulnerability as targeted only days after warning that another Commvault bug (CVE-2025-3928) has been exploited, and roughly a week after cybersecurity firm watchTowr published technical information on CVE-2025-34028, as well as proof-of-concept (PoC) exploit code targeting it.
According to watchTowr, an attacker can send an HTTP request to a specific endpoint to coerce the server into fetching the ZIP file from an external server, then traverse to a pre-authenticated directory on the server and execute a malicious shell that was placed in the archive and unzipped by the server in a temp directory.
There does not appear to be any public information describing the attack attempts exploiting CVE-2025-34028.
CISA added CVE-2025-34028 to KEV alongside CVE-2024-58136, an improper protection of alternate path bug in the Yii framework that could lead to arbitrary code execution. The flaw was exploited in zero-day attacks against Craft CMS, which tracks it as CVE-2025-32432 (CVSS score of 10/10). Other products that implement Yii might be affected as well.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until May 23 to apply fixes for the Commvault and Yii defects. While the directive only applies to federal agencies, all organizations are advised to review CISA’s KEV catalog and prioritize patching.
Related: Commvault Shares IoCs After Zero-Day Attack Hits Azure Environment
Related: PoC Published for Exploited SonicWall Vulnerabilities
Related: Exploited Vulnerability Exposes Over 400 SAP NetWeaver Servers to Attacks
Related: Fresh Windows NTLM Vulnerability Exploited in Attacks
