CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-34028

CVSS 9.3v4.0pub. 2025-04-22upd. 2025-11-06

The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Commvault

    APP
    Commvault
    11.38.0 – 11.38.20 (bez)
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje

CISA KEV — detailsi

Vendori
Commvault
Producti
Command Center
Added to KEVi
May 2, 2025
Remediation deadline (US Federal)i
May 23, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 23 maja 2025
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2024-7262CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit

CVE-2022-47986CRITICAL9.8⚠ KEVten sam produkt

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...