- A critical severity security failure was found at the Commvault Command Center
- Allows threat actors to execute arbitrary code remotely and without authentication
- Vulnerability could lead to a complete commitment
Watchtowr cybersecurity researchers recently discovered a critical severity failure at the Commvault command center that could allow threat actors to execute the arbitrary code remotely and without authentication.
Commvault Command Center is a web -based interface that provides centralized management for data protection, backup, recovery and compliance with hybrid environments, used by thousands of companies worldwide in industries such as medical care, finance, government and manufacturing.
Vulnerability is tracked as CVE-2025-34028, and has a gravity score of 9.0/10 (critical).
Second increase
“A critical security vulnerability has been identified in the installation of the command center, allowing remote attackers to execute arbitrary code without authentication,” said the security notice.
“This vulnerability could lead to a complete commitment of the environment center environment. Fortunately, other facilities within the same system are not affected by this vulnerability.”
Since this defect allows remote attackers to execute arbitrary code without authentication, a threat actor could exploit it to obtain unauthorized access to, for example, the backup system of a government agency.
Once inside, they could manipulate or eliminate confidential data, interrupt operations or install malware to maintain control.
This could lead to data violations, operational inactivity time and loss of public confidence. Ultimately, if the classified information ends exposed, it could become a national security problem.
Multiple versions are affected by vulnerability: 11.38 Innovation launch, from versions 11.38.0 to 11.38.19. Users who seek to mitigate the defect must opt for versions 11.38.20 and 11.38.25.
Until now, there is no evidence of abuse in nature, and there is still no proof of concept (POC). However, most threat actors are not looking for zero -day vulnerabilities, but are waiting for security researchers to find and look like a defect.
Betting that many users do not stop their final points on time, remain vulnerable and, therefore, easily exploitable.
Through The hacker news
