Critical Vulnerability Discovered in Commvault Backup System

A new serious threat has emerged in the cybersecurity landscape. A critical Remote Code Execution (RCE) vulnerability, which allows bypassing authentication, has been identified in the popular Commvault platform, known for its data protection software solutions. This flaw enables attackers to execute their code on a server without requiring a password or any login credentials.

Registered as CVE-2025-34028, this vulnerability has been assigned the maximum CVSS score of 10.0, classifying it as a “critical” threat.

Researchers identified the issue in Commvault’s “Innovation Release” versions, specifically in builds from 11.38.0 to 11.38.19. The vulnerability originates in the web management interface, specifically through the deployWebpackage.do and deployServiceCommcell.do endpoints.

These functions were excluded from authentication requirements in the authSkipRules.xml configuration file, meaning no login or password is needed to access them. As a result, any attacker with internet access can directly target a vulnerable system.

The researchers developed a Proof-of-Concept (PoC) attack scenario, which includes the following steps:

  1. The attacker sends a specially crafted HTTP request to the Commvault server.
  2. This request triggers a Server-Side Request Forgery (SSRF) vulnerability, causing the server to download data from a source controlled by the attacker.
  3. Malicious JSP files contained within a ZIP archive are placed in sensitive system directories.
  4. The attacker then activates these files via the web interface, executing their code on the server.

This vulnerability not only allows system access but also enables complete control over its core functions, effectively giving the attacker the same privileges as the server owner.

Backup and replication solutions are a cornerstone of modern cybersecurity strategies. In the fight against ransomware, backups are often seen as the last line of defense. But what happens if attackers compromise the backup system itself? In such cases, an organization could be completely paralyzed.

Researchers warn that, given Commvault’s extensive automation and integration capabilities, this vulnerability could, in many cases, provide access to other sensitive data within the system.

Commvault has addressed this vulnerability in version 11.38.20. All users are urgently recommended to update immediately.

If updating is not currently possible, consider the following measures:

  1. Implement network-level protection by restricting access to only necessary addresses.
  2. Enable encrypted connections via TLS (HTTPS) and introduce client certificate-based authentication.
  3. Review the authSkipRules.xml file and restrict access to endpoints that do not require authentication.
  4. Analyze server logs and set up monitoring for suspicious requests.

Organizations invest heavily in protecting their data. However, if the systems storing this data are vulnerable, the entire security framework is called into question. The Commvault vulnerability serves as a stark warning.

Time is critical. The PoC code for this vulnerability has already been publicly disclosed, expanding the opportunities for cybercriminals. Do not delay the update—this is not just a backup, but your primary defense tool!