Process monitor log of 11.38.25 system, showing shell.jsp being planted and executed using the watchTowr PoC
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/458/905/102/553/591/original/8249341a63d86457.png
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/458/905/102/553/591/original/8249341a63d86457.png
Notices where this attachment appears
-
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 08-May-2025 13:25:44 JST 
Will Dormann
Now that I have a local copy of the Commvault VM so that I don't burn truckloads of Azure dollars, I can look at things at my leisure.
AND, it seems that the VM that I have is 11.38.25, which contains the fix for CVE-2025-34028.
EXCEPT the exploit for CVE-2025-34028 still works against it. 🤦♂️
Commvault claims that 11.38.20 and 11.38.25 fixes the watchTowr-reported CVE-2025-34028 vulnerability. (Aside: How is it even possible that two different versions in the same product line are the ones that fix a single vulnerability?) watchTowr discovered the bug in 11.38.20.
I trust watchTowr, so I don't believe Commvault's statement that 11.38.20 fixes the vulnerability that watchTowr found in 11.38.20.
I also trust the PoC that I just ran against 11.38.25, so I don't believe Commvault's statement that 11.38.25 fixes the vulnerability that watchTowr found in 11.38.20.
Yes, I have trust issues. 😕
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.