Resolution This vulnerability impacts only the 11.38 Innovation Release and has been resolved in the following Innovation Update releases. All other versions are not affected. 11.38.20, which includes the fix as of April 10, 2025 11.38.25, which includes the fix as of April 10, 2025

Notices where this attachment appears

1. Embed this notice
   Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 08-May-2025 13:25:44 JST Will Dormann

   in reply to

   Now that I have a local copy of the Commvault VM so that I don't burn truckloads of Azure dollars, I can look at things at my leisure.

   AND, it seems that the VM that I have is 11.38.25, which contains the fix for CVE-2025-34028.

   EXCEPT the exploit for CVE-2025-34028 still works against it. 🤦♂️

   Commvault claims that 11.38.20 and 11.38.25 fixes the watchTowr-reported CVE-2025-34028 vulnerability. (Aside: How is it even possible that two different versions in the same product line are the ones that fix a single vulnerability?) watchTowr discovered the bug in 11.38.20.

   I trust watchTowr, so I don't believe Commvault's statement that 11.38.20 fixes the vulnerability that watchTowr found in 11.38.20.

   I also trust the PoC that I just ran against 11.38.25, so I don't believe Commvault's statement that 11.38.25 fixes the vulnerability that watchTowr found in 11.38.20.

   Yes, I have trust issues. 😕