Another Day, Another Commvault Zero-Day: RCE, Path Traversal, and KEV Inclusions
Audio is streamed directly from the publisher (media.transistor.fm) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
In this episode, we break down the anatomy of some of the most critical vulnerabilities threatening enterprise systems in 2025 — and the real-world attacks already exploiting them. We explore how seemingly small issues like path traversal can escalate into full remote code execution (RCE), and how threat actors are chaining vulnerabilities to bypass authentication and compromise systems.
We’ll examine CVE-2025-34028 in Commvault Command Center and CVE-2025-32432 in Craft CMS, both added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after confirmed in-the-wild exploitation. You'll hear how attackers are abusing unfiltered file paths, uploading malicious files, and exploiting image processing features to take control of servers — all without authentication.
We also talk about the architectural reasons why arbitrary code execution (ACE) is so dangerous, how the Von Neumann model enables this class of exploits, and why input validation and patching are non-negotiable. This is a must-listen if you’re responsible for patching, monitoring, or securing web apps and core business platforms.
✅ Topics Covered:
- ACE vs. RCE: What’s the difference and why it matters
- How path traversal works and how it’s exploited
- Breakdown of recent Craft CMS and Commvault vulnerabilities
- Why chained exploits are increasing in real-world attacks
- CISA’s KEV catalog and what it means for your patching priorities
- Mitigation steps that actually work — from WAF rules to file-integrity monitoring