Commvault, a leading provider of data protection and information management software, has announced crucial security updates, addressing four vulnerabilities that posed remote code execution risks to unpatched systems. These vulnerabilities affect Commvault installations running versions prior to 11.36.60.
Overview of Vulnerabilities
The security gaps, each tracked with an official CVE identifier and corresponding CVSS scores, were uncovered by Sonny Macdonald and Piotr Bazydlo of watchTowr Labs in April 2025. Here's a breakdown of each:
CVE-2025-57788 (CVSS 6.9):
A flaw in the login mechanism lets unauthenticated attackers perform API calls without user credentials, increasing the risk of unauthorized access.
CVE-2025-57789 (CVSS 5.3):
During the critical setup phase—between installation and first admin login—remote attackers could exploit default credentials to obtain administrator privileges.
CVE-2025-57790 (CVSS 8.7):
The most severe, this path traversal vulnerability enables attackers to access the file system and execute code remotely if exploited successfully.
CVE-2025-57791 (CVSS 6.9):
Insufficient input validation potentially allows remote attackers to inject or manipulate command-line arguments, escalating privileges within a valid user session for a low-level account.
Exploit Chains and Risk Analysis
WatchTowr Labs' analysis highlights that these vulnerabilities could be chained for pre-authenticated remote code execution:
Chain 1: Combining CVE-2025-57791 and CVE-2025-57790
Chain 2: Linking CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790
Of special note, the second exploit chain only succeeds if the built-in admin password remains unchanged since initial installation—a critical reminder for administrators to update default credentials immediately upon deployment.
Mitigation and Impact
Commvault resolved all flagged vulnerabilities in versions 11.32.102 and 11.36.60. If you’re running earlier versions, immediate patching is essential. The company clarified that its SaaS offerings are not affected.
Administrators and users are urged to verify their installations and apply updates without delay. Failure to do so exposes systems to attacks that can result in unauthorized access, data compromise, or full remote code execution.
Previous Incidents and Ongoing Threats
This disclosure follows a major security event just four months ago, where WatchTowr Labs reported CVE-2025-34028 (CVSS 10.0)—a critical Commvault Command Center vulnerability also enabling arbitrary code execution. Shortly thereafter, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog in response to active exploitation in the wild.
Final Thoughts
Security in enterprise environments hinges on awareness, prompt action, and continual monitoring for vulnerabilities. The swift response from Commvault and watchTowr Labs is a solid example of responsible disclosure and remediation. System owners should not only patch but also review security practices, especially regarding credential management during installation.
For technical details and update instructions, consult the official Commvault release notes or your security team.
Top comments (0)