CVE-2025-34028

CRITICAL KEV NUCLEI

Commvault Command Center Innovation Release <11.38.20 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-34028 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 2, 2025. EIP tracks 5 public exploits from researchers including iSee857, watchtowrlabs, Mattb709. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2025-34028 targeting Commvault, demonstrating command execution via session manipulation. The PoC includes a multi-threaded scanner for detecting vulnerable instances and executing commands.

Description

The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.

Exploits (5)

github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/Commvault-CVE-2025-34028.py

The repository contains a functional exploit for CVE-2025-34028 targeting Commvault, demonstrating command execution via session manipulation. The PoC includes a multi-threaded scanner for detecting vulnerable instances and executing commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Commvault
No auth needed
Prerequisites: Network access to the target · Commvault service exposed
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 21 stars
by watchtowrlabs · remote
https://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028

This PoC exploits CVE-2025-34028, a pre-authenticated RCE vulnerability in Commvault. It uploads a malicious ZIP file containing a JSP shell to a public directory, then retrieves system user information via the deployed shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Commvault Windows and Linux 11.38.0 - 11.38.19
No auth needed
Prerequisites: Network access to Commvault web interface · Vulnerable version of Commvault
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Mattb709 · remote
https://github.com/Mattb709/CVE-2025-34028-PoC-Commvault-RCE

This is a functional Python exploit for CVE-2025-34028, targeting a remote code execution vulnerability in Commvault Command Center. It uploads a malicious shell payload via a path traversal vulnerability and retrieves system user information.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Commvault Command Center
No auth needed
Prerequisites: Network access to the Commvault Command Center · Target must be running a vulnerable version of Commvault
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by becrevex · remote
https://github.com/becrevex/Commvault-CVE-2025-34028

This repository provides an Nmap NSE script to scan for CVE-2025-34028, a remote code execution vulnerability in Commvault. The script is designed to be run against HTTPS ports to detect the vulnerability.

Classification
Scanner 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Commvault (version not specified)
No auth needed
Prerequisites: Nmap with NSE support · Network access to target on port 443
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by tinkerlev · infoleak
https://github.com/tinkerlev/commvault-cve2025-34028-check

This repository contains an Nmap NSE script designed to detect inconsistencies in web infrastructure responses, potentially identifying access control or configuration issues. It does not include exploit code but serves as a diagnostic tool for authorized audits.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Web infrastructure (generic)
No auth needed
Prerequisites: Nmap with NSE support · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Commvault - SSRF via /commandcenter/deployWebpackage.do
CRITICALVERIFIEDby DhiyaneshDk,abhishekrautela
FOFA: icon_hash="1209838013"

References (5)

Core 5

Scores

CVSS v3 10.0
EPSS 0.6933
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-05-02
VulnCheck KEV 2025-04-30
ENISA EUVD EUVD-2025-12275
CWE
CWE-22 CWE-306
Status published
Products (1)
commvault/commvault 11.38.0 - 11.38.20
Published Apr 22, 2025
KEV Added May 02, 2025
Tracked Since Feb 18, 2026