Listen to this Post
In a surprising development, cybersecurity experts are raising red flags about a supposedly patched critical vulnerability in Commvault Command Center. Although updates were released to address the server-side request forgery (SSRF) flaw—cataloged as CVE-2025-34028—researchers have confirmed the bug is still exploitable, casting doubt on the effectiveness of Commvault’s remediation efforts. As the US Cybersecurity and Infrastructure Security Agency (CISA) lists the vulnerability among actively exploited threats, the issue poses an ongoing risk to major enterprise environments relying on Commvault’s data protection and backup infrastructure.
Ongoing Exploitation Despite Patch
Security researcher Will Dormann and the team at watchTowr discovered that Commvault’s security patches, released in versions 11.38.20 and 11.38.25, fail to fully address the issue. The bug allows remote, unauthenticated attackers to perform SSRF attacks—potentially leading to complete system compromise. Although Commvault claimed to have fixed the flaw, Dormann’s tests show the exploit remains functional even in the latest build, version 11.38.25.
The vulnerability, which carries a perfect CVSS score of 10.0, is among the most severe. It allows attackers to trigger the software to make unauthorized HTTP requests, potentially executing arbitrary code. The proof-of-concept exploit developed by watchTowr can cause a vulnerable server to download a web shell, allowing complete remote control.
Key Developments
CVE-2025-34028 is a maximum severity SSRF flaw affecting Commvault Command Center versions 11.38.0 to 11.38.19.
Commvault claimed patches in versions 11.38.20 and 11.38.25 remedied the issue.
Research from watchTowr and Will Dormann shows the exploit still works on 11.38.20 and 11.38.25.
CISA has added the flaw to its Known Exploited Vulnerabilities list due to active in-the-wild exploitation.
The exploit allows pre-authentication remote attackers to trigger HTTP requests and potentially implant web shells.
Dormann questions why two separate version updates were needed for a single flaw, suggesting a patching inconsistency.
Commvault has not publicly commented on the continued exploitability as of this writing.
The vulnerability directly impacts enterprises relying on Commvault, such as 3M, ADP, ING, Sony, Deloitte, and AstraZeneca.
Security experts warn of ransomware threats that can hijack backup infrastructures via this flaw.
Automatic updates are supposed to protect customers, but manual steps like isolation and access restrictions are still recommended.
Experts demand transparency and clarity from Commvault regarding patch validation processes.
What Undercode Say:
The persistence of CVE-2025-34028 in patched versions raises serious concerns about software supply chain security and the reliability of vendor-provided remediation. This situation reflects broader industry challenges where vendors rush to deploy security patches under pressure, often without adequate regression testing or third-party validation.
Dormann’s discovery signals a breakdown in secure software lifecycle practices. Patch validation, both internal and external, is non-negotiable when dealing with critical infrastructure software. When the remediation fails silently, organizations face a dual threat: not only is the system still vulnerable, but defenders may wrongly assume they’re protected, leaving doors wide open for exploitation.
This incident exposes a systemic flaw in the trust model. Enterprises depend on vendors to issue reliable fixes and on government advisories to guide their response. If both falter, attackers gain extended opportunities for compromise, especially in high-value targets like backup environments, where stealthy persistence is ideal.
Commvault’s client base—spanning healthcare, finance, tech, and government sectors—should treat this event as a wake-up call. SSRF vulnerabilities are increasingly leveraged for lateral movement and internal reconnaissance. The combination of pre-auth access and SSRF in backup infrastructure represents a perfect storm for ransomware operators and APTs.
Moreover, this isn’t a case of “zero-day” chaos—this is a vendor-issued fix that doesn’t fix. That’s a whole new level of risk, especially when updates are said to be applied automatically. Enterprises must adopt a trust-but-verify model and consider integrating exploit validation tools and security-focused CI/CD pipelines that test third-party software for known flaws—even after official patching.
Will
From a SOC perspective, defenders should now assume that Commvault Command Center may still be vulnerable even after updating. This means:
Conducting active exploit detection.
Isolating vulnerable nodes from the core network.
Auditing logs for SSRF behavior or strange outbound connections.
Treating the backup system as a high-risk asset rather than a secure fallback.
The SSRF issue proves that pre-auth vulnerabilities are no longer rare and should be part of every organization’s risk model. If companies like Commvault—trusted by some of the world’s largest enterprises—can fail to deliver secure patches, the industry must rethink assumptions around post-patch safety.
Fact Checker Results
CVE-2025-34028 has been confirmed by multiple sources as actively exploited despite claims of remediation.
Dormann’s public analysis and PoC results corroborate that patched versions remain vulnerable.
CISA’s inclusion of the flaw in its KEV catalog confirms the seriousness and real-world risk of ongoing exploitation.
Prediction
Unless Commvault issues a verified and independently tested hotfix, the CVE-2025-34028 vulnerability will continue to be exploited across enterprise environments in Q2 and Q3 of 2025. Expect threat actors to increasingly target backup systems as a means of long-term persistence and ransomware staging. This will likely lead to regulatory scrutiny, increased demand for third-party patch validation, and potential shifts in enterprise backup software procurement policies.
References:
Reported By: www.darkreading.com
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
