Security researchers have disclosed a critical remote code execution (RCE) vulnerability, CVE-2025-34028, in Commvault's Command Center (versions 11.38.0 to 11.38.19) that allows unauthenticated remote attackers to execute arbitrary code on both Windows and Linux systems. This pre-auth Server-Side Request Forgery (SSRF) flaw was discovered by watchTowr Labs and affects Commvault’s widely deployed data protection and backup management interface.

Commvault has released an automatic fix via version 11.38.20, and strongly urges users to verify the update has been successfully applied, especially in environments that may block automatic updates. Organizations are advised to treat this as an emergency change, isolate the Command Center, and restrict internet access to its interface until patch validation is complete.

The vulnerability permits the attacker to send a malicious HTTP request to download and execute a remote ZIP payload containing a web shell, allowing complete compromise of the target environment. Commvault customers include major corporations such as 3M, Deloitte, Sony, and AstraZeneca, raising the potential impact.

Security experts recommend monitoring for suspicious outbound connections, unauthorized file writes, and access to vulnerable paths like /reports/MetricsUpload. Logging, interface isolation, and segmentation are also advised as interim containment steps.

‍