Critical Commvault Flaw Allows Full System Takeover – Update NOW

Enterprises using Commvault Innovation Release are urged to patch immediately against CVE-2025-34028. This critical flaw allows attackers to run code remotely and gain full control.

A severe security vulnerability has been discovered in the Commvault Command Center, a widely adopted solution for enterprise backup and data management. This flaw, tracked as CVE-2025-34028 and assigned a critical severity score of 9.0 out of 10, could allow remote attackers to execute any code they desire on vulnerable Commvault installations without needing to log in.

The dangerous weakness was discovered and responsibly reported on April 7, 2025, by Sonny Macdonald, a researcher with watchTowr Labs. Their analysis revealed that the vulnerability lies within a specific web interface component named “deployWebpackage.do.”

This endpoint is susceptible to a pre-authenticated Server-Side Request Forgery (SSRF) attack due to a lack of proper validation on the external servers the Commvault system is permitted to interact with ...