Commvault has launched updates to handle 4 safety gaps that might be exploited to realize distant code execution on vulnerable cases.
The record of vulnerabilities, recognized in Commvault variations earlier than 11.36.60, is as follows –
- CVE-2025-57788 (CVSS rating: 6.9) – A vulnerability in a identified login mechanism permits unauthenticated attackers to execute API calls with out requiring person credentials
- CVE-2025-57789 (CVSS rating: 5.3) – A vulnerability through the setup part between set up and the primary administrator login that permits distant attackers to use the default credentials to achieve admin management
- CVE-2025-57790 (CVSS rating: 8.7) – A path traversal vulnerability that permits distant attackers to carry out unauthorized file system entry via a path traversal concern, leading to distant code execution
- CVE-2025-57791 (CVSS rating: 6.9) – A vulnerability that permits distant attackers to inject or manipulate command-line arguments handed to inside elements because of inadequate enter validation, leading to a legitimate person session for a low-privilege function
watchTowr Labs researchers Sonny Macdonald and Piotr Bazydlo have been credited with discovering and reporting the 4 safety defects in April 2025. All of the flagged vulnerabilities have been resolved in variations 11.32.102 and 11.36.60. Commvault SaaS answer isn’t affected.
In an evaluation revealed Wednesday, the cybersecurity firm mentioned risk actors might trend these vulnerabilities into two pre-authenticated exploit chains to realize code execution on vulnerable cases: One that mixes CVE-2025-57791 and CVE-2025-57790, and the opposite that strings CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790.
It is price noting that the second pre-auth distant code execution chain turns into profitable provided that the built-in admin password hasn’t been modified since set up.
The disclosure comes practically 4 months after watchTowr Labs reported a crucial Commvault Command Heart flaw (CVE-2025-34028, CVSS rating: 10.0) that would enable arbitrary code execution on affected installations.
A month later, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added the vulnerability to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation within the wild.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s developments at the moment: learn extra, subscribe to our e-newsletter, and develop into a part of the NextTech neighborhood at NextTech-news.com
