CVE-2025-34028CRITICAL 10.0CISA KEVEPSS p99.9%

CVE-2025-34028Commvault Command Center Path Traversal Vulnerability

Commvault / Command Center

Description

Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS97.13% probability of exploitation · percentile 99.9% · 2026-06-15T12:03:41Z
Published2025-04-22
Last modified2025-11-06

CISA KEV entry

Added to KEV: 2025-05-02

Underlying weaknesses· 2

CWE-22CWE-306

References

  1. https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html
  2. https://github.com/watchtowrlabs/watchTowr-vs-Commvault-PreAuth-RCE-CVE-2025-34028
  3. https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/
  4. https://www.vulncheck.com/advisories/commvault-command-center-innovation-release-unauthenticated-install-package-path-traversal
  5. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34028

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessMissing Authentication for Critical Functioncwe-3060%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryCommvault Command Center Path Traversal Vulnerabilitykev-cve-2025-340280%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Commvault Web Server Unspecified Vulnerability
CVE
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
CVE
CVE-2025-9713
CVE
CVE-2025-41229
CVE
SolarWinds Serv-U Path Traversal Vulnerability
CVE
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.