The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new Commvault vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that attackers are actively targeting the flaw just days after proof-of-concept (PoC) exploit code was made public.
The flaw, CVE-2025-34028, carries a CVSS score of 10.0, indicating maximum severity. It impacts Commvault Command Center versions 11.38.0 to 11.38.19 under the Innovation Release track. Commvault addressed the issue in versions 11.38.20 and 11.38.25.
What Is CVE-2025-34028?
The vulnerability is a path traversal bug in Commvault’s web-based Command Center, allowing unauthenticated remote code execution (RCE). Attackers can exploit this flaw by uploading specially crafted ZIP archives that the system automatically unpacks. If the malicious archive includes a shell or payload, the server could execute it without any user interaction.
Commvault’s advisory describes the bug as allowing complete takeover of the Command Center environment. Although the company has not confirmed in-the-wild exploitation, CISA’s move suggests threat actors are actively targeting the vulnerability.
Exploitation Details
Just a week prior to the CISA alert, cybersecurity firm watchTowr published technical insights and PoC code for CVE-2025-34028. The exploit involves tricking the server into fetching a ZIP file from an attacker-controlled external server. Once unpacked in a temporary directory, the embedded payload can be executed via a path traversal trick targeting a pre-authenticated directory.
While no public incidents or exploitation campaigns have been disclosed, CISA’s KEV inclusion confirms real-world exploitation activity.
Another Commvault Flaw Also Targeted
This marks the second Commvault vulnerability added to the KEV catalog in a week. On May 2, CISA also flagged CVE-2025-3928, another serious issue in Commvault systems. The quick succession signals growing interest from attackers in exploiting weaknesses in backup and data management platforms.
Related Yii Framework Vulnerability Affects Craft CMS
In the same advisory update, CISA also added CVE-2024-58136, a critical issue in the Yii PHP framework, to its KEV list. aThis improper path protection bug was used in zero-day attacks against Craft CMS, which tracks it as CVE-2025-32432 (also CVSS 10.0). Other Yii-based platforms may also be vulnerable.
Urgent Patch Deadlines and Guidance
Under Binding Operational Directive (BOD) 22-01, federal agencies must patch CVE-2025-34028 and CVE-2024-58136 by May 23, 2025. While the directive applies only to U.S. federal systems, CISA strongly recommends that all organizations prioritize these patches.
The agency also encourages regular review of the KEV catalog to stay ahead of active threats and reduce exposure to high-risk exploits.
