Ddos 
Commvault has disclosed a critical vulnerability affecting its Command Center, identified as CVE-2025-34028, with the maximum CVSS score of 10.0. The flaw allows unauthenticated remote attackers to execute arbitrary code, potentially leading to a full system compromise.
“A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication,” states the official advisory.
This vulnerability specifically affects Commvault installations running version 11.38.0 through 11.38.19 on both Linux and Windows platforms. Thankfully, only the Command Center module is impacted—other components of the system remain unaffected.
“This vulnerability could lead to a complete compromise of the Command Center environment. Fortunately, other installations within the same system are not affected by this vulnerability,” alerts the advisory.
The flaw was responsibly disclosed by security researchers at watchTowr.
Commvault addressed the issue in the following Innovation Update releases:
- 11.38.20 (released April 10, 2025)
- 11.38.25 (released April 10, 2025)
The company emphasized that systems on the Innovation Release track are automatically updated per predefined schedules. However, for organizations that cannot immediately apply the patch, Commvault urges them to isolate vulnerable Command Center instances from external network access.
“If installing the update is not feasible, then isolate the Command Center installation from external network access,” the advisory warns.
Organizations using affected versions should:
- Patch to 11.38.20 or later immediately
- Audit network exposure of Command Center interfaces
- Implement segmentation to restrict access if patching is delayed
A CVSS 10 vulnerability represents the highest possible level of risk, especially for environments managing sensitive backup and data recovery operations.
Donate