CVE-2021-34995

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the...

CVE-2021-34993

This vulnerability allows remote attackers to bypass authentication on affected installations of Commvault CommCell 11.22.22. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CVSearchService service. The issue results from the lack of proper...

CVE-2021-34994

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DataProvider...

CVE-2020-25780

In CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before 16.44, 17.x before 17.29, and 18.x before 18.13, Directory Traversal can occur such that an attempt to view a log file can instead view a file outside of the log-files folder...

Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic)

Commvault is monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment. Threat actors may have accessed client secrets for Commvault’s Metallic Microsoft 365 M365 backup software-as-a-service SaaS solution, hosted in Azure. This provided the...

The vulnerability of CommVault’s backup and disaster recovery platform, related to incorrect restrictions on the path to the restricted-access catalog, allows a perpetrator to execute arbitrary code.

The vulnerability of CommVault’s backup and disaster recovery platform lies in the improper limitation of the path name to the restricted-access catalog. Exploiting this vulnerability could allow an attacker operating remotely to execute arbitrary code...

Commvault Command Center upload path traversal

Added: 05/16/2025 Background Commvault is a unified backup and recovery solution for cloud ready organizations. It gives complete backup and recovery protection for your business to cover all data wherever it resides. Problem A path traversal vulnerability allows unauthenticated users to upload...

Commvault Command Center upload path traversal

Added: 05/16/2025 Background Commvault is a unified backup and recovery solution for cloud ready organizations. It gives complete backup and recovery protection for your business to cover all data wherever it resides. Problem A path traversal vulnerability allows unauthenticated users to upload...

Commvault Command Center Innovation Release 11.38 Remote Code Execution

Remote code execution exploit for Commvault Command Center version 11.38. Written in Python. This tool allows testing single targets or scanning multiple hosts in bulk...

Exploit for Missing Authentication for Critical Function in Commvault

CVE-2025-34028 - Commvault Command Center Remote Code Executio...

Commvault CVE-2025-34028 Added to CISA KEV After Active Exploitation Confirmed

The U.S. Cybersecurity and Infrastructure Security Agency CISA has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities KEV catalog, a little over a week after it was publicly disclosed. The vulnerability in question is CVE-2025-34028 CV...

The vulnerability of CommVault’s backup and disaster recovery web server allows a perpetrator to execute arbitrary code.

The vulnerability of CommVault’s backup and disaster recovery web server lies in the deficiencies in the mechanism for verifying input data. Exploiting this vulnerability allows an attacker operating remotely to execute arbitrary code...

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-34028link is external Commvault Command Center Path Traversal Vulnerability CVE-2024-58136link is external Yiiframework Yii Improper Protection of Alternate Pa...

Commvault Command Center Path Traversal Vulnerability

Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code...

Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach

Enterprise data backup platform Commvault has revealed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting CVE-2025-3928 but emphasized there is no evidence of unauthorized data access. "This activity has affected a small number of customers we have in...

VulnCheck KEV: CVE-2025-34028

Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code...

Commvault Web Server unspecified vulnerability

RISK EVALUATION According to Commvault: "The Web Server is a component in CommCell environments that provides a RESTful interface to the software where users can perform various tasks using available APIs". A remote, authenticated attacker can exploit an unspecified vulnerability to compromise a...

CISA Adds Actively Exploited Broadcom and Commvault Flaws to KEV Database

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Monday added two high-severity security flaws impacting Broadcom Brocade Fabric OS and Commvault Web Server to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation in the wild. The vulnerabilities...

PT-2025-18218 · Undefined · Undefined

🛡️ ALERT: CISA Adds Broadcom & Commvault Vulnerabilities to KEV Database These flaws are actively exploited in the wild. If you're running affected products, patch ASAP. 📌 Broadcom ID: CVE-2023-12345 📌 Commvault ID: CVE-2024-67890 📆 Mitigation deadline: Insert date if known https://t.co/dtEaewjtfL...

Commvault Web Server Unspecified Vulnerability

Commvault Web Server contains an unspecified vulnerability that allows a remote, authenticated attacker to create and execute webshells...