Commvault backup systems have an extremely worrying security issue, so patch now

News
By published

Researchers reveal a way to run arbitrary code remotely and without authentication

A file and folder transferring data with a red warning mark indicating malware.
(Image credit: Shutterstock)
  • A critical-severity security flaw was found in Commvault Command Center
  • It allows threat actors to run arbitrary code remotely and without authentication
  • Vulnerability could lead to complete compromise

Cybersecurity researchers from watchTowr recently discovered a critical-severity flaw in Commvault Command Center that could allow threat actors to run arbitrary code remotely and without authentication.

Commvault Command Center is a web-based interface that provides centralized management for data protection, backup, recovery, and compliance across hybrid environments, used by thousands of companies worldwide across industries like healthcare, finance, government, and manufacturing.

The vulnerability is tracked as CVE-2025-34028, and has a severity score of 9.0/10 (critical).

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Second increase

“A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication,” the security advisory said.

“This vulnerability could lead to a complete compromise of the Command Center environment. Fortunately, other installations within the same system are not affected by this vulnerability.”

Since this flaw allows remote attackers to execute arbitrary code without authentication, a threat actor could exploit it to gain unauthorized access to, for example, a government agency's backup system.

Once inside, they could manipulate or delete sensitive data, disrupt operations, or install malware to maintain control.

This could lead to data breaches, operational downtime, and loss of public trust. Ultimately, if classified information ends up being exposed, it could turn into a national security issue.

Multiple versions are affected by the vulnerability: 11.38 Innovation Release, from versions 11.38.0 through 11.38.19. Users looking to mitigate the flaw should go for versions 11.38.20 and 11.38.25.

So far, there is no evidence of abuse in the wild, and there is no proof-of-concept (PoC) just yet. However, most threat actors aren’t looking for zero-day vulnerabilities, but are rather waiting for security researchers to find and patch a flaw.

They are betting that many users won’t patch their endpoints on time, remaining vulnerable and thus easily exploitable.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.