{"id":2934,"date":"2025-04-25T12:21:11","date_gmt":"2025-04-25T12:21:11","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2934"},"modified":"2025-04-25T12:21:11","modified_gmt":"2025-04-25T12:21:11","slug":"commvault-warns-of-critical-command-center-flaw","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2934","title":{"rendered":"Commvault warns of critical Command Center flaw"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Commvault is warning customers of a critical vulnerability affecting Command Center, a web-based management console for its data protection and backup offerings.<\/p>\n<p>The flaw, tracked as <a href=\"https:\/\/documentation.commvault.com\/securityadvisories\/CV_2025_04_1.html\">CV-2025-34028<\/a>, could allow remote attackers to execute arbitrary code without authentication on affected Linux as well as Windows installations.<\/p>\n<p>\u201cThis Commvault vulnerability underscores a significant risk: attackers can exploit weak API endpoints to gain extensive access to sensitive systems,\u201d said Eric Schwake, director of cybersecurity strategy at Salt Security. \u201cThe threat resides in the possibility of pre-authenticated remote code execution on systems that are often crucial to an organization\u2019s data protection framework.\u201d<\/p>\n<p>Commvault is a widely used data protection, backup, and recovery software platform, with users like Amazon, Walmart, and Apple, that, if breached, can allow disruption to an organization\u2019s backup operations, in addition to unauthorized access, lateral movement, and deployment of malware and ransomware.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>SSRF flaw escalated to code execution<\/h2>\n<p>The vulnerability was reported by watchTowr Labs researcher Sonny Macdonald as a <a href=\"https:\/\/www.csoonline.com\/article\/571411\/ssrf-attacks-explained-and-how-to-defend-against-them.html\">server-side request forgery (SSRF)<\/a> issue in a pre-authenticated endpoint called deployWebpackage.do. Macdonald <a href=\"https:\/\/labs.watchtowr.com\/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028\/\">called it<\/a> a \u201cvery straightforward pre-auth SSRF vulnerability, as there is no filtering limiting the hosts that can be communicated with.\u201d<\/p>\n<p>\u201cSSRF vulnerabilities are rather difficult to discover, but they can cause significant damage,\u201d said Thomas Richards, infrastructure security practice director at Black Duck. \u201cUsers of Commvault should patch their installation immediately and begin forensic examination to determine if their instance was exploited.\u00a0If the instance was exposed to the internet at all, firewall restrictions should be put in place to control who can access it.\u201d<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/571411\/ssrf-attacks-explained-and-how-to-defend-against-them.html\">SSRF<\/a> \u2014 a flaw enabling attackers to trick a server into making <a href=\"https:\/\/www.csoonline.com\/article\/3959148\/hackers-attempted-to-steal-aws-credentials-using-ssrf-flaws-within-hosted-sites.html\">unauthorized requests<\/a> to internal or external systems \u2014 cannot (by itself) allow code execution. In this particular case, however, Macdonald built a <a href=\"https:\/\/github.com\/watchtowrlabs\/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028\">PoC<\/a> exploit to show how this pre-authenticated SSRF could be escalated to allow RCE.<\/p>\n<p>The escalation is achieved by making use of a ZIP archive file containing a malicious .JSP file, which is retrieved and executed through the SSRF exploit.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Pre-authentication increases exploitability<\/h2>\n<p>Heath Renfrow, CISO and co-founder at FEnix24, told CSO that the vulnerability is both \u201ctechnically serious\u201d and \u201coperationally significant\u201d for organizations, for a number of reasons.<\/p>\n<p>For starters, it enables pre-authentication exploitation, meaning that it can be triggered before any authentication is required, leading to high exploitability without the need for credentials.\u00a0<\/p>\n<p>Additionally, the flaw exposes high-value targets owing to Commvault\u2019s popularity. \u201cCommvault is often deployed in environments managing critical infrastructure and disaster recovery,\u201d Renfrow said. \u201cA compromise here could impact not just data integrity but also a company\u2019s ability to recover from ransomware or system failure, turning a single flaw into a multi-vector crisis.\u201d <\/p>\n<p>In its description of the flaw, Commvault said the vulnerability could lead to a complete compromise of the Command Center environment, although other installations within the same system are not affected. The CVSS 9.0 vulnerability affecting versions 11.38.0 and 11.38.19 was fixed by the company earlier this month, and patches were rolled out with the 11.38.20 update.<\/p>\n<p>Isolating the Command Center installation from external network access is a workaround users can implement if updating isn\u2019t an option for them, Commvault said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Commvault is warning customers of a critical vulnerability affecting Command Center, a web-based management console for its data protection and backup offerings. The flaw, tracked as CV-2025-34028, could allow remote attackers to execute arbitrary code without authentication on affected Linux as well as Windows installations. \u201cThis Commvault vulnerability underscores a significant risk: attackers can exploit [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2930,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2934","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2934"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2934"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2934\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2930"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2934"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}