Another Day, Another Commvault Zero-Day: RCE, Path Traversal, and KEV Inclusions

In this episode, we break down the anatomy of some of the most critical vulnerabilities threatening enterprise systems in 2025 — and the real-world attacks already exploiting them. We explore how seemingly small issues like path traversal can escalate into full remote code execution (RCE), and how threat actors are chaining vulnerabilities to bypass authentication and compromise systems.We’ll examine CVE-2025-34028 in Commvault Command Center and CVE-2025-32432 in Craft CMS, both added to CISA’s Known Exploited Vulnerabilities (KEV) catalog after confirmed in-the-wild exploitation. You'll hear how attackers are abusing unfiltered file paths, uploading malicious files, and exploiting image processing features to take control of servers — all without authentication.We also talk about the architectural reasons why arbitrary code execution (ACE) is so dangerous, how the Von Neumann model enables this class of exploits, and why input validation and patching are non-negotiable. This is a must-listen if you’re responsible for patching, monitoring, or securing web apps and core business platforms.✅ Topics Covered:ACE vs. RCE: What’s the difference and why it mattersHow path traversal works and how it’s exploitedBreakdown of recent Craft CMS and Commvault vulnerabilitiesWhy chained exploits are increasing in real-world attacksCISA’s KEV catalog and what it means for your patching prioritiesMitigation steps that actually work — from WAF rules to file-integrity monitoring

There are no comments yet.

Please log in to write the first comment.