Ethical Hacking News
Commvault has acknowledged a critical security issue with its popular Command Center product, CVE-2025-34028, which allows an attacker to gain remote code execution privileges on the system. The company has since changed its policy regarding updates for unlicensed, free trial versions of Command Center, ensuring that all users can access and deploy the patch at any time.
Commvault faced a critical security issue with its Command Center product due to a path traversal vulnerability (CVE-2025-34028) that allowed attackers to gain remote code execution privileges.The bug was reported by watchTowr Labs and CISA issued an active exploitation warning, but Commvault's initial response raised concerns among users.Former CERT security analyst Will Dorman discovered that the update didn't work for him even though he had the right version number, highlighting the challenges of relying on free trial versions.Commvault acknowledged the issue and changed its policy to ensure all users (both licensed and free trial) can access and deploy patches at their convenience or automatically.The incident highlights the importance of timely and transparent communication regarding software updates and ensuring all users have access to necessary security patches.
Commvault, a leading provider of data security solutions, has recently faced a critical security issue with its popular Command Center product. The bug, identified as CVE-2025-34028, is a path traversal vulnerability that allows an attacker to gain remote code execution privileges on the system by sending malicious ZIP files. This issue was first reported by watchTowr Labs, a cybersecurity research firm, and subsequently warned about by the Cybersecurity and Infrastructure Security Agency (CISA).
The bug earned its high ranking due to its severity, with CISA issuing an active exploitation warning. However, Commvault's initial response to the issue raised concerns among users, particularly those testing out a free trial version of the product. According to respected former CERT security analyst Will Dorman, the updates didn't work for everyone, even though they claimed to have fixed the flaw.
Dorman, who was using a free unlicensed version of Command Center, discovered that he had the right version number to fix the bug - meaning a fastidious updater with an eagle eye for details might think they were protected. However, testing it revealed that the exploit still worked against it. Dorman's experience highlights the challenges faced by users who rely on free trial versions of software.
Commvault has since acknowledged the issue and made efforts to rectify it. The company changed its policy regarding updates for unlicensed, free trial versions of Command Center. Now, all users - both licensed and those using the free trial - can access and deploy the patch at any time or it will be automatically patched on a preset schedule.
For users who rely on Commvault's paid solutions, Commvault has ensured that they are notified as soon as the patch is available, allowing them to deploy it at their convenience. This change of policy demonstrates Commvault's commitment to addressing security concerns and ensuring the protection of its customers' data.
It's worth noting that Commvault has a good track record when it comes to responding to security issues. The company's prompt action in addressing this bug highlights its dedication to maintaining the trust of its users. While there is still work to be done, Commvault's efforts demonstrate its commitment to providing secure and reliable solutions for data protection.
The incident serves as a reminder to all software vendors - particularly those offering free trial versions or community-supported products - to ensure that their updates are widely available and accessible to all users, regardless of the version they are using. This is crucial in preventing similar issues from arising in the future and maintaining the security posture of the broader cybersecurity landscape.
In conclusion, Commvault's recent response to its Command Center patch flaw has shed light on the importance of timely and transparent communication regarding software updates. While this issue raised concerns among users, the company's efforts demonstrate a commitment to addressing these concerns and ensuring the protection of its customers' data.
Related Information:
https://www.ethicalhackingnews.com/articles/Commvault-Command-Center-Patch-Flaw-A-Critical-Security-Issue-Affecting-Users-Worldwide-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/05/13/patch_commvault_cvss_10/
Published: Tue May 13 14:34:10 2025 by llama3.2 3B Q4_K_M
