ET MALWARE Commvault Pre-Auth RCE (CVE-2025-34028) Post-Exploitation Activity (jsp webshell)

SID: 2061839Rev: 177 views

Sourceet/open

CreatedApril 24, 2025

UpdatedApril 24, 2025

Classificationtrojan-activity

alert http any any -> $HOME_NET any (msg:"ET MALWARE Commvault Pre-Auth RCE (CVE-2025-34028) Post-Exploitation Activity (jsp webshell)"; flow:established,to_server; xbits:isset,ET.CVE-2025-34028,track ip_dst; http.uri; content:"/reports/MetricsUpload"; fast_pattern; startswith; content:".jsp"; distance:0; reference:url,labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/; reference:cve,2025-34028; classtype:trojan-activity; sid:2061839; rev:1; metadata:affected_product Commvault, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_04_24, cve CVE_2025_34028, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag WebShell, updated_at 2025_04_24, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1059, mitre_technique_name Command_And_Scripting_Interpreter; target:dest_ip;)

References

url	labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/
cve	2025-34028

Metadata

affected productCommvault

attack targetWeb_Server

tls stateTLSDecrypt

created at2025_04_24

cveCVE-2025-34028

deploymentInternal

performance impactLow

confidenceHigh

signature severityMajor

tagWebShell

updated at2025_04_24

mitre tactic idTA0002

mitre tactic nameExecution

mitre technique idT1059

mitre technique nameCommand_And_Scripting_Interpreter

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!