An update that fixed a critical flaw in data protection biz Commvault’s Command Center was initially not available to a significant user subset – those testing out a free trial version of the product. That is, until a security researcher pointed out the problem.
Commvault offers a suite of tools for data security. Command Center is a dashboard bundled with several other tools that give customers a simple visual view of the data they’re trying to protect. Last week, the Cybersecurity and Infrastructure Security Agency warned that the issue, CVE-2025-34028, was under active exploitation, giving it the highest possible CVSS 10 severity ranking.
The flaw earned its high ranking because it was a path traversal bug that allowed an attacker to get remote code execution privileges on the system by sending ZIP files that contained malicious .jsp files. A security team at watchTowr Labs spotted the flaw last month, and CISA warned Windows and Linux users to update to the latest version of Commvault Command Center, which was supposed to fix the issue.
But according to respected former CERT security analyst Will Dorman, the updates didn’t work for everyone.
Worse, it appeared to Dorman, who was using a free unlicensed version of Command Center, that he had the right version number to fix the flaw – meaning a fastidious updater with an eagle eye for details might think they were protected. But then he tested it.
“It seems that the VM that I have is 11.38.25, which contains the fix for CVE-2025-34028,” he wrote on Mastodon. “EXCEPT the exploit for CVE-2025-34028 still works against it.”
- CommVault merges Asian region into EMEA – four months after SaaS launch
- Owl in a day’s work: Commvault picks up software-defined type Hedvig for $225m
- Google patches odd Android kernel security bug amid signs of targeted exploitation
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
Dormand explained that, in fact, the updated Command Center was only protected after he installed additional updates, which were extremely difficult for him to find, download, and install.
“I talked to them on the phone, and I said, ‘Hey, you guys should really update your advisory, because the current advisory indicates that 11.3, 8.20, is fixed now,'” he told The Register.
“On May 6, they updated the advisory to say, ‘Well, if you’re at 11 point 3.20, you need these two additional updates. Or if you’re on 11.3825 you need these two additional updates.'”
Then Dorman spoke to Commvault the following day, and he claims it turns out to be a question of money – even when there’s a CVSS 10 flaw being actively attacked. Users of the free version weren’t getting updates for a month, he added.
Dormann praised the company for not only getting back to him so quickly but having engineers on the phone keen to solve this in less than a day.
“I was on the phone with them, they did not mention that there was a 30 day waiting period,” he told us.
“But what they ended up doing is, while I was actually live on the phone with them, they changed that on May 7, so that people that got their copy of [Command Center] through Azure or AWS or anything related to that, they would be able to download the latest copy of the software.
“I’m quite confident that they did a fine job of picking up the vulnerability. The problem that I see with all of this is if anybody’s using an unlicensed version that they got through Azure or AWS, they kind of have to jump through some hoops to get the updated version of the software.”
Dorman’s use of the free unlicensed version of Command Center meant he was not able to get access to patches on the same timeline as paying customers. Thanks to Dorman’s attention, Commvault has now changed that policy permanently.
“For our licensed customers, as soon as the patch is available, customers are notified and can deploy the patch at any time or it will be automatically patched on a preset schedule,” a spokesperson for Commvault explained to The Register.
“For users testing out an unlicensed, free trial version, updates are released every 30 days. We previously had not made intermittent patches available to unlicensed, free trial versions before the next 30-day release hit. Going forward, all users, both licensed and those using the free trial, can access and deploy the patch at any time.”
watchTowr had no comment at time of going to press. ®
Iain Thomson
Read More