Commvault Command Center Innovation Release <= 11.38.25 Unathenticated Install Package Path Traversal

Advisories

severity: critical
date: April 22, 2025
Affecting: Command Center Innovation Release 11.38.0 <= 11.38.25
CVE: CVE-2025-34028
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-306 Missing Authentication for Critical Function
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H
References: Commvault Advisory
watchTowr Disclosure
watchTowr PoC
Credit: Sonny of watchTowr
VulnCheck KEV: This advisory is in the VulnCheck KEV database