On May 1, 2025, Commvault disclosed CVE-2025-34028, a critical server-side request forgery (SSRF) vulnerability in Commvault Command Center that could be chained to achieve unauthenticated remote code execution. The vulnerability affected Commvault Command Center versions 11.38.0 through 11.38.19 and was patched in versions 11.38.20 and 11.38.25.
WatchTowr Labs discovered and reported the vulnerability. CISA subsequently added CVE-2025-34028 to its Known Exploited Vulnerabilities catalog, indicating confirmed exploitation in the wild.
The Vulnerability Chain
CVE-2025-34028 was not a simple single-step exploit. It was a multi-stage chain that combined an SSRF vulnerability with a path traversal and a zip file extraction flaw:
Stage 1: SSRF. The Commvault Command Center exposed a pre-authenticated endpoint that accepted a URL parameter and made an HTTP request to that URL from the server. This is a classic SSRF pattern -- the server acts as a proxy, making requests on behalf of the attacker.
Stage 2: Malicious zip delivery. The attacker used the SSRF to make the Commvault server fetch a zip file from an attacker-controlled server.
Stage 3: Path traversal in zip extraction. The Commvault server extracted the fetched zip file without properly sanitizing file paths within the archive. By including directory traversal sequences (e.g., ../../) in the zip file's entry names, the attacker could write files to arbitrary locations on the server's filesystem.
Stage 4: Web shell deployment. By writing a JSP web shell to a web-accessible directory on the Commvault server, the attacker gained the ability to execute arbitrary commands.
The chain was reliable and did not require authentication at any stage. Any network-accessible Commvault Command Center instance running a vulnerable version was at risk.
Why Backup Infrastructure Matters
Backup systems are one of the most sensitive components in any enterprise environment, yet they are frequently overlooked in security programs. A compromised backup system gives an attacker:
Access to everything. Backup systems, by definition, contain copies of data from across the organization. Compromising the backup server is equivalent to compromising every system it protects.
Ransomware leverage. Threat actors increasingly target backup systems specifically to prevent recovery after ransomware deployment. If the backups are destroyed or encrypted, the victim has no alternative to paying the ransom.
Credential harvesting. Backup systems often store service account credentials with broad access to production systems. These credentials can be used for lateral movement.
Persistence. Backup infrastructure is typically less monitored than production systems. An attacker can maintain access to backup servers for extended periods without detection.
The Commvault vulnerability was particularly concerning because it combined pre-authentication access with the sensitive nature of backup infrastructure. An attacker who successfully exploited CVE-2025-34028 would have gained a position from which they could access backup data across the organization.
SSRF: The Underestimated Vulnerability Class
Server-side request forgery has been steadily climbing the rankings of dangerous vulnerability types. OWASP added SSRF to its Top 10 in 2021, and it has been a component of several high-profile attacks:
- Capital One breach (2019): An SSRF vulnerability in a web application firewall was used to access AWS metadata services, leading to the theft of over 100 million customer records.
- Microsoft Exchange SSRF (CVE-2021-26855): The ProxyLogon SSRF was the entry point for one of the most widespread exploitation campaigns in history.
- Atlassian Confluence SSRF (CVE-2023-22527): Template injection leading to SSRF and RCE in Confluence Server.
SSRF is dangerous because it allows an attacker to pivot from external access to internal network access. The server making the request is trusted by internal services that would reject connections from external sources. This trust enables the attacker to reach internal APIs, metadata services, and other resources that should not be externally accessible.
Remediation
Commvault recommended the following:
- Update to Command Center version 11.38.20 or 11.38.25. These versions patch the SSRF vulnerability.
- Restrict network access to the Command Center web interface. Like all management interfaces, it should be accessible only from trusted networks.
- Review access logs for the specific pre-authenticated endpoint that was vulnerable. Requests to this endpoint from external IPs may indicate exploitation attempts.
- If compromise is suspected, treat the Commvault server as fully compromised and conduct a thorough investigation, including validating backup integrity.
Defending Backup Infrastructure
Beyond patching CVE-2025-34028, organizations should apply broader protections to their backup infrastructure:
Network segmentation. Backup servers should be in isolated network segments with strict ingress and egress controls. The management interface should be accessible only from dedicated admin workstations.
Immutable backups. Implement immutable backup storage that cannot be modified or deleted, even by administrators. This protects against ransomware actors who target backup systems.
Separate authentication. Backup system credentials should be independent of Active Directory or other centralized identity systems. If an attacker compromises AD, they should not automatically gain access to backups.
Monitor backup integrity. Regularly verify that backups are intact and restorable. Detect anomalies in backup job patterns that might indicate tampering.
How Safeguard.sh Helps
Safeguard.sh includes backup and infrastructure software in its vulnerability tracking capabilities. When critical vulnerabilities like CVE-2025-34028 are disclosed, Safeguard identifies affected Commvault installations in your environment and prioritizes them for immediate remediation.
Safeguard's policy gate functionality can enforce security requirements for backup infrastructure, including minimum software versions, network exposure limits, and patching timelines. By treating backup systems as the critical infrastructure they are, Safeguard helps ensure they receive appropriate security attention rather than being overlooked in favor of more visible application security priorities.