Commvault backup software: Further vulnerability attacked
Attacks on another Commvault vulnerability became known over the weekend. The update to seal it does not seem to be working.
(Image: JLStock/Shutterstock.com)
Last weekend, attacks on another security vulnerability in Commvault's Command Center Innovation Release became known on the Internet. The update provided by Commvault apparently does not seal the vulnerability correctly. In the meantime it became clear that a missing registration of the IT security researcher led to missing hotpatches – details are in the "Update" box at the end of the article.
The vulnerability with the vulnerability entries EUVD-2025-12275 and CVE-2025-34028 respectively consists of the fact that attackers can upload ZIP files from the network without prior authentication, which can lead to the execution of malicious code smuggled into them when unpacked on the target server (CVSS 10.0, risk"critical").
Commvault provides software update
In line with standard practice, Commvault has responded with a software update to Commvault 11.38.20 for Linux and Windows. Commvault also provides its own security bulletin, which was updated today, Wednesday. The manufacturer is now releasing further additional updates for 11.38.20, SP38-CU20-433 and SP38-CU20-436, and for 11.38.25, SP38-CU25-434 and SP38-CU25-438.
Videos by heise
IT security researcher Will Dormann used a virtual machine with Commvault software version 11.38.25 to test whether an exploit for the vulnerability works.
Dormann writes that Commvault claims that versions 11.38.20 and 11.38.25 patched the vulnerability; the IT researchers at Watchtowr discovered the gap in version 11.38.20. Since the proof-of-concept exploit works against the supposedly fixed version 11.38.25, he has "trust issues". A few hours ago, Dormann mentioned the additional updates that Commvault now lists in the updated security notice. He is unable to install them. This also makes it impossible for him to check their effectiveness.
Nevertheless, IT managers should quickly try to apply the updates and additional hotfixes using Commvault's "Downloading Software On Demand" to ensure that their systems are up to date.
Commvault vulnerabilities are obviously attractive to cybercriminals. Just last week, attackers abused an equally high-risk vulnerability in the backup software, EUVD-2025-12508 and CVE-2025-3928 (CVSS 8.8, risk"high").
A representative of Commvault answered our questions and explained that Dormann wasn't registered at Commvault. "He thus couldn't implement the update in question. Commvault contacted the IT security researcher directly to help him with the manual update process and the installation of the security patch. The researcher could then successfully apply the patch", explained the Commvault speaker. Will Dormann published a new post on Mastodon where he describes the process to apply the update correctly.
(dmk)
