Caining Commvault vulnerabilities enables pre-authentication remote code execution
Take action: If you're running Commvault on-premises backup solutions, first make sure it's isolated from the internet and accessible only from trusted networks. Then plan a quick update to version 11.32.102, 11.36.60, or 11.38.32. Attackers can chain vulnerabilities to compromise your backup systems.
Learn More
Commvault has patched four security vulnerabilities in its enterprise backup and data protection solution that can be chained together to achieve pre-authentication remote code execution on susceptible installations.
Vulnerabilities summary:
- CVE-2025-57788 (CVSS score 6.9) - Unauthorized API access vulnerability in a known login mechanism that allows unauthenticated attackers to execute API calls
- CVE-2025-57789 (CVSS score 5.3) - Privilege escalation vulnerability during the setup phase between installation and the first administrator login, allowing remote attackers to exploit default credentials to gain admin control through hardcoded encryption keys
- CVE-2025-57790 (CVSS score 8.7) - Path traversal vulnerability that allows remote attackers to perform unauthorized file system access, enabling them to write JSP webshells into the webroot for remote code execution
- CVE-2025-57791 (CVSS score 6.9) - Argument injection vulnerability in CommServe that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation
The vulnerabilities were discovered by watchTowr Labs researchers and affect Commvault versions before 11.36.60. Threat actors can chain the flaws into two pre-authenticated exploit chains to achieve code execution on vulnerable instances.
The first exploit chain combines CVE-2025-57791 and CVE-2025-57790. This chain exploits an argument injection vulnerability in the qlogin QCommand to generate a valid API token for the localadmin user, then uses a path traversal flaw in QCommand output handling to drop a JSP webshell directly into the application's webroot directory for immediate remote code execution.
The second exploit chain requires CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790, but it only works if the built-in administrator password hasn't been changed since installation. This chain begins by leaking the password of the low-privileged _+PublicSharingUser account, then exploits a hardcoded AES encryption key to decrypt the built-in admin password from the database, and finally uses the same path traversal vulnerability to achieve remote code execution.
Commvault has released patches in versions 11.32.102, 11.36.60, and 11.38.32. The company's SaaS solution is not affected by these issues, Organizations using Commvault's on-premises solutions should prioritize updating to the latest patched versions.
