Commvault Releases Security Updates to Address Multiple Vulnerabilities

Security researchers have demonstrated that 4 vulnerabilities in Commvault can be exploited in a chain to achieve unauthenticated remote code execution

Threat ID:: CC-4694
Threat Severity:: Medium
Published:: 21 August 2025 3:00 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security researchers have demonstrated that 4 vulnerabilities in Commvault can be exploited in a chain to achieve unauthenticated remote code execution

Affected platforms

The following platforms are known to be affected:

Commvault

11.32.0 to 11.32.101
11.36.0 to 11.36.59
11.38.20 to 11.38.25
- Note: Although not listed in the Commvault advisories, security researchers have verified that versions 11.38.20 to 11.38.25 are affected by these vulnerabilities.

Commvault SaaS is not affected by these vulnerabilities.

Threat details

Public proof-of-concept exploit available

Security researchers at watchTowr have published technical details for how the vulnerabilities in Commvault can be exploited in 2 different chains to achieve pre-authentication remote code execution (RCE).

Backup and disaster recovery solutions are highly valuable targets for cyber criminals. The NHS England National CSOC assesses future exploitation as likely.

Introduction

Commvault has released security advisories to address 4 vulnerabilities in Commvault Windows and Linux. Security researchers have demonstrated the ability for these vulnerabilities to be chained together by an unauthenticated remote attacker to perform remote code execution on the Commvault server.

CVE-2025-57788 - Unauthorized API Access Risk - CVSSv4 6.9
CVE-2025-57789 - Vulnerability in Initial Administrator Login Process - CVSSv4 5.3
CVE-2025-57790 - Path Traversal Vulnerability - CVSSv4 8.7
CVE-2025-57791 - Argument Injection Vulnerability in CommServe - CVSSv4 6.9

Remediation advice

Affected organisations are strongly encouraged to review the Commvault Security Advisories page and apply the relevant updates as soon as possible.

For clarity, the remediated versions are:

11.32.102
11.36.60
11.38.32

Definitive source of threat updates

https://documentation.commvault.com/securityadvisories/

CVE Vulnerabilities

Status Published

CVE-2025-57788

An issue was discovered in Commvault before 11.36.60. A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk.

Status Published

CVE-2025-57789

An issue was discovered in Commvault before 11.36.60. During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured.

Status Published

CVE-2025-57790

An issue was discovered in Commvault before 11.36.60. A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. The vulnerability may lead to remote code execution.

Status Published

CVE-2025-57791

An issue was discovered in Commvault before 11.36.60. A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Successful exploitation results in a valid user session for a low privilege role.

Last edited: 21 August 2025 3:00 pm