Commvault developers warn of critical flaw, urge immediate patching
Take action: This is an urgent item if you are using Commvault Backup. The developers didn't wait for a CVE, and are not providing any details - this usually means the flaw is very nasty. Make sure your Commvault Backup is isolated from the internet, and start patching NOW.
Learn More
A critical vulnerability has been identified and remediated in multiple versions of Commvault's backup software. This flaw allows malicious actors to compromise Commvault web servers by creating and executing webshells, effectively establishing backdoor access to affected systems.
The advisory does not specify a CVE identifier or CVSS score for this vulnerability but Commvault has classified it as "critical" in severity. The vulnerability affects both Linux and Windows platforms running Commvault software.
The specific attack vector has not been detailed in the advisory, but per the information from Commvault the vulnerability allows attackers to establish backdoors on web servers to gain unauthorized access to systems. These webshells could potentially grant persistent access to compromised environments and lead to further compromise of backup infrastructure.
The following Commvault software versions are vulnerable:
- Commvault Linux/Windows 11.36.0 - 11.36.44
- Commvault Linux/Windows 11.32.0 - 11.32.86
- Commvault Linux/Windows 11.28.0 - 11.28.139
- Commvault Linux/Windows 11.20.0 - 11.20.215
Commvault has addressed this vulnerability in the following updated versions:
- Version 11.36.45 (resolving 11.36.0 - 11.36.44)
- Version 11.32.87 (resolving 11.32.0 - 11.32.86)
- Version 11.28.140 (resolving 11.28.0 - 11.28.139)
- Version 11.20.216 (resolving 11.20.0 - 11.20.215)
Administrators are strongly advised to immediately install the appropriate maintenance release on both CommServe and Web Servers to mitigate this risk. Detailed instructions for installing Commvault software updates are available in the company's documentation under "Installing Commvault Software Updates on Demand."
Currently, there are no reports of this vulnerability being exploited in the wild. The advisory does not provide information about indicators of compromise (IoCs) that could help administrators detect if their systems have already been compromised via this vulnerability.
