- Advisory ID: CV_2025_04_1
- Severity: CRITICAL
- Issued: 2025-04-11
- Updated: 2025-04-25
- CVSS Score Range: 10
- Additional Links:
A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication. This vulnerability could lead to a complete compromise of the Command Center environment. Fortunately, other installations within the same system are not affected by this vulnerability.
Acknowledgments:
We thank watchTowr for responsibly disclosing this issue.
Impacted Products
| Product | Platforms | Affected Versions | Resolved Version | Status |
|---|---|---|---|---|
| Commvault | Linux, Windows | 11.38.0 - 11.38.19 | 11.38.20 | Resolved |
Resolution
This vulnerability impacts only the 11.38 Innovation Release and has been resolved in the following Innovation Update releases. All other versions are not affected.
11.38.20, which includes the fix as of April 10, 2025
11.38.25, which includes the fix as of April 10, 2025
Innovation releases are automatically managed according to predefined schedules, so manual intervention is not required.
If installing the update is not feasible, then isolate the Command Center installation from external network access.
UPDATE (April 25, 2025) – Added the CVE ID for this vulnerability.
CVE Details
| Info | Description |
|---|---|
| A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38. |