Commvault Command Center ZIP Path Traversal RCE
CVE-2025-34028 is a critical path traversal vulnerability in Commvault Command Center Innovation Release affecting versions 11.38.0 through 11.38.19 on Linux and Windows. According to the provided content, an unauthenticated attacker can upload a ZIP file representing an install package, and when the server expands the archive, path traversal within the ZIP can cause files to be written outside the intended extraction directory. This can be leveraged to place a malicious JSP on the server and achieve remote code execution. The issue has been specifically associated with the deployWebpackage.do endpoint in reporting cited in the content.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a Python exploit for CVE-2025-34028, a remote code execution vulnerability in Commvault Command Center. The main script, 'CVE-2025-34028-Commvault.py', allows the user to target a single host or scan multiple hosts in bulk. The exploit works by first verifying the presence of a Commvault instance on the target, then uploading a base64-encoded ZIP archive containing a JSP web shell via a path traversal vulnerability in the '/commandcenter/deployServiceCommcell.do' endpoint. After uploading, the script accesses the shell at a predictable URL under '/reports/MetricsUpload/<random_path>/.tmp/dist-cc/dist-cc/shell.jsp' to execute code and retrieve the current system user, demonstrating successful exploitation. The script provides detailed output and a summary table of results for all tested hosts. The repository also includes a README with usage instructions, a requirements.txt for dependencies, and an MIT license. The exploit is operational, providing a working payload and clear demonstration of remote code execution.
This repository contains an Nmap Scripting Engine (NSE) script (CVE-2025-34028.nse) and a README. The script targets Commvault installations vulnerable to CVE-2025-34028, an unauthenticated remote code execution flaw. The script works by first verifying the presence of a Commvault instance via a specific endpoint, then uploading a base64-encoded ZIP file containing a JSP webshell to a writable directory using a crafted POST request. It then attempts to access the uploaded shell and confirms exploitation by extracting the current system user from the shell's response. The script is operational and provides a working exploit, not just detection. The only code file is written in Lua for use with Nmap, and the README provides usage instructions. No hardcoded IPs or domains are present; all endpoints are dynamically constructed based on the target.
This repository contains a proof-of-concept exploit for CVE-2025-34028, targeting Commvault Web Interfaces (versions 11.38.0 - 11.38.19) on both Windows and Linux. The exploit is implemented in a single Python script ('watchtowr-vs-commvault-rce-CVE-2025-34028.py') and is accompanied by a README.md with usage instructions and technical details. The exploit works by uploading a specially crafted zip file containing a JSP webshell to a public directory on the target Commvault server via a vulnerable endpoint. After upload, the script accesses the webshell to retrieve and display the system user, demonstrating unauthenticated remote code execution. The payload is a simple JSP page that prints the current system user. The exploit requires only the target URL and does not require authentication, making it a pre-auth RCE. The repository is structured as a typical PoC with clear instructions and a single exploit script.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
71 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote code execution vulnerability in Commvault Command Center referenced as a scanning target.
A critical Commvault Command Center vulnerability described as path traversal and remote code execution; confirmed actively exploited and added to CISA KEV.
A critical path traversal vulnerability in Commvault Command Center Innovation Release allows unauthenticated attackers to upload malicious ZIP files, leading to remote code execution when extracted by the server.
Vulnerability referenced in template enhancement notes; details not provided in the content.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.