logo

Security Advisories

Documentation Cloud Services Solutions
< Back

CV_2025_04_1: Vulnerability in Commvault Command Center Installation CRITICAL

  • Advisory ID: CV_2025_04_1
  • Severity: CRITICAL
  • Issued: 2025-04-11
  • Updated: 2025-05-07
  • CVSS Score Range: 10
  • Additional Links:

A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication. This vulnerability could lead to a complete compromise of the Command Center environment. Fortunately, other installations within the same system are not affected by this vulnerability.

Acknowledgments:

We thank watchTowr for responsibly disclosing this issue.

Impacted Products

Product Platforms Affected Versions Resolved Version Status
Commvault Linux, Windows 11.38.0 - 11.38.19 11.38.20 Resolved

Resolution

This vulnerability impacts only the 11.38 Innovation Release and has been resolved in the following Innovation Update releases along with additional updates. All other versions are not affected.

  • 11.38.20, with the following additional updates:

    • SP38-CU20-433

    • SP38-CU20-436

  • 11.38.25, with the following additional updates:

    • SP38-CU25-434

    • SP38-CU25-438

To download and install the latest updates, see Downloading Software On Demand.

To verify if the updates are installed on all Command Center installations, go to the Server listing page in Command Center, select each Command Center installation, and check if the above mentioned additional updates are listed under Additional Updates.

If installing the update is not feasible, then isolate the Command Center installation from external network access.

For Commvault SaaS customers, all necessary patches, including those addressing this vulnerability, are automatically deployed by Commvault. No customer action is required.

UPDATE (April 25, 2025) Added the CVE ID for this vulnerability.

UPDATE (May 1st, 2025) Added details about Commvault SaaS customers.

UPDATE (May 6th, 2025) - Added details about additional updates.

CVE Details

Info Description

A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38.

Documentation

https://documentation.commvault.com

< Back