Commvault pre-auth exploit chain allows remote code execution

Commvault has released critical updates to address four security vulnerabilities that could be exploited for remote code execution on affected instances. The vulnerabilities, identified in Commvault versions prior to 11.36.60, include CVE-2025-57788 (CVSS score: 6.9), which allows unauthenticated attackers to execute API calls without user credentials; CVE-2025-57789 (CVSS score: 5.3), which enables remote attackers to exploit default credentials during the setup phase to gain admin control; CVE-2025-57790 (CVSS score: 8.7), a path traversal vulnerability that permits unauthorized file system access; and CVE-2025-57791 (CVSS score: 6.9), which allows remote attackers to manipulate command-line arguments due to insufficient input validation. Researchers Sonny Macdonald and Piotr Bazydlo from watchTowr Labs discovered and reported these vulnerabilities in April 2025.

All identified vulnerabilities have been resolved in versions 11.32.102 and 11.36.60, with the Commvault SaaS solution remaining unaffected. An analysis revealed that threat actors could exploit these vulnerabilities through two pre-authenticated exploit chains for code execution. One chain combines CVE-2025-57791 and CVE-2025-57790, while the other strings together CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790, with the latter being successful only if the built-in admin password has not been changed since installation. This disclosure follows a previous report of a critical flaw in Commvault Command Center (CVE-2025-34028, CVSS score: 10.0), which was added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog due to evidence of active exploitation.