Urgent Commvault Security Alert: Patch These RCE Vulnerabilities Now

Published: August 22, 2025

Commvault, a leading data protection and cyber resilience software company, recently disclosed several vulnerabilities that could be chained together for powerful remote code execution (RCE) attacks. This is a big deal because a compromised Commvault server can be a gateway to an entire network, exposing critical backups and data.

What's the Big Deal?

Commvault is widely used by enterprises for managing backups and data across various environments, including on-premise, cloud, and hybrid setups. A successful attack on a Commvault system can lead to the following:

  • Data Exfiltration: Attackers could steal sensitive data from your backups.
  • Data Tampering: They could corrupt or manipulate backup data, making recovery impossible after an incident like a ransomware attack.
  • Network-Wide Compromise: A foothold on the Commvault server could be used to move laterally within the network, gaining access to other critical systems like domain controllers and hypervisors.

The Vulnerabilities Explained

Commvault has patched four specific vulnerabilities, discovered by watchTowr Labs researchers Sonny Macdonald and Piotr Bazydlo:

  • CVE-2025-57788 (CVSS 6.9): An unauthorized API access flaw that lets attackers make API calls without credentials.
  • CVE-2025-57789 (CVSS 5.3): A setup-phase vulnerability that allows remote attackers to gain admin control by exploiting default credentials. This is only a risk if the admin password hasn't been changed since installation.
  • CVE-2025-57790 (CVSS 8.7): A path traversal vulnerability, which is the most severe of the four. It allows unauthorized file system access and can directly lead to remote code execution.
  • CVE-2025-57791 (CVSS 6.9): An input validation flaw that allows attackers to inject or manipulate command-line arguments, which can result in a valid low-privilege user session.

While each of these is a problem on its own, the real danger lies in how they can be combined.

The Exploit Chains ⛓

Researchers found two main ways these vulnerabilities could be strung together to achieve pre-authenticated remote code execution, meaning an attacker doesn't need to log in first.

Chain 1: The 'Input Validation' to 'RCE' Route

  • CVE-2025-57791 is used to gain a low-privilege user session.
  • This is then combined with the most critical vulnerability, CVE-2025-57790 (path traversal), to execute remote code.

Chain 2: The 'Default Password' to 'RCE' Route

  • CVE-2025-57788 (unauthorized API access) and CVE-2025-57789 (default admin credentials) are used to gain administrative control.
  • This is then combined with CVE-2025-57790 (path traversal) to achieve remote code execution.

This second chain is particularly concerning for organizations that haven't followed the best practice of changing default passwords after installation.

What to Do Now

Commvault has resolved these issues in versions 11.32.102 and 11.36.60. The company's SaaS (cloud-hosted) solution is not affected.

  • Patch Immediately: If you are using an on-premise Commvault version before 11.36.60, you must update to a patched version immediately. This is the most crucial step.
  • Review CISA's KEV Catalog: This isn't the first major vulnerability for Commvault. Earlier this year, another critical flaw (CVE-2025-34028) was added to CISA's Known Exploited Vulnerabilities catalog, meaning it's being actively targeted by attackers. This underscores the importance of staying on top of Commvault's security updates.
  • Change Default Credentials: If you haven't already, change the default administrator password. This simple step can prevent the second exploit chain from being successful.