A critical vulnerability in Commvault’s Backup and Recovery solution, allocated CVE-2025-34028, would have let a remote and unauthenticated attacker gain complete control over the Command Center environment.
The vulnerability, identified by WatchTowr, which disclosed details today after Commvault pushed a patch on April 10, affects Windows and Linux flavours of the backup software – but only a brace of “innovation” releases versions. The bug earned itself a CVSS rating of 9.0.
WatchTowr, clearly impressed with the responsiveness of Commvault’s security team, said that between their vulnerability disclosure and a full patch was a mere week: (“Has to be record-breaking in our experience!”)
It added in its technical writeup: “Commvault PSIRT has communicated that this vulnerability specifically affects their Innovation Release, which appears to maintain the cutting-edge features of the Commvault solution; the vulnerable function is apparently only a recent addition….”
Commvault, which lists a wide range of blue chips as customers, said in its advisory that the bug “impacts only the 11.38 Innovation Release” and has been resolved in the following Innovation Update releases.11.38.20, which includes the fix as of April 10, 2025; 11.38.25, ditto.
“Innovation releases are automatically managed according to predefined schedules, so manual intervention is not required” it added.
WatchTowr’s technical teardown is here.
The link has been copied!
