A critical 10.0 bug in the Commvault Command Center could potentially let remote attackers execute arbitrary code without authentication.The company disclosed in a recent advisory that the vulnerability could lead to a complete compromise of the Command Center, which enterprises use on help desks or to perform common administrative tasks, such as restoring user emails.According to Commvault, the vulnerability — CVE-2025-34028 — has been resolved and impacts only the 11.38 Innovation release and other installations within the same system are not affected. The vulnerability was last modified by NIST’s National Vulnerability Database on April 23. Commvault credited watchTowr for responsibly disclosing the issue and urged all of its users to patch right away.“That this bug can lead to a complete compromise of the Command Center, the central component of Commvault’s data protection infrastructure, poses a clear and present danger to digital systems,” said Agnidipta Sarkar, vice president and CISO Advisory at ColorTokens.Sarkar said enterprises must follow mitigation steps on an immediate and persistent mode, and if they cannot shut down full networks, they should use appliance-based microsegmentation systems that can opt-in critical infrastructure isolation in minutes. Otherwise, Sarkar said organizations could be looking at a severe impact, potentially leading to irrecoverable business and personal data impact, should some ransomware impact them.Eric Schwake, director of cybersecurity strategy at Salt Security, said the Commvault vulnerability underscores a significant risk: attackers can exploit weak API endpoints to gain extensive access to sensitive systems. Schwake said the threat resides in the possibility of pre-authenticated remote code execution on systems that are often crucial to an organization’s data protection framework.“A breach here could result in widespread data leaks, ransom demands for encrypted backups, or total control over recovery processes,” said Schwake. “It’s essential to implement stringent API security measures that focus on identifying and understanding the behavior of all API endpoints, including those used by critical infrastructure like backup systems.”