A critical flaw (CVE-2025-34028, CVSS 9.0) in Commvault Command Center (11.38.0–11.38.19) allows unauthenticated remote code execution via an SSRF in the deployWebpackage.do endpoint. Patched in 11.38.20 and 11.38.25, users should update immediately to avoid compromise.

‍