CVE-2025-34028

Arctic Wolf reports on CVE-2025-34028, a critical pre-authentication SSRF in Commvault Command Center's deployWebpackage.do endpoint that can be escalated to remote code execution using a malicious ZIP with a JSP; a public PoC exists. The bulletin lists affected and fixed versions (upgrade to 11.38.20), warns that public-facing instances should be removed from the internet, and urges organizations to patch and follow firewall/hardening guidance.