Multiple vulnerabilities have been identified in Commvault Backup & Recovery that, when chained, could lead to remote code execution. Commvault Backup & Recovery is a comprehensive data protection platform supporting on-premises, cloud, and hybrid environments. Successful exploitation of these flaws could allow attackers to bypass authentication, escalate privileges, execute arbitrary commands, and potentially deploy a JSP webshell.
Commvault has released critical security updates to address four severe vulnerabilities that could enable remote code execution on vulnerable instances. Affecting versions prior to 11.36.60, these flaws pose a significant risk to organizations and highlight the critical need for prompt patch management.
The first vulnerability, CVE-2025-57788 (CVSS 6.9), impacts a common login mechanism, allowing unauthenticated attackers to execute API calls without valid credentials. The second, CVE-2025-57789 (CVSS 5.3), exists during the initial setup phase between installation and the first administrator login enabling remote attackers to exploit default credentials and obtain administrative privileges.
The third vulnerability, CVE-2025-57790 (CVSS 8.7), is a path traversal flaw that allows unauthorized access to the file system, potentially resulting in remote code execution. The fourth, CVE-2025-57791 (CVSS 6.9), stems from insufficient input validation, enabling attackers to manipulate command-line arguments to internal components and gain a valid low-privilege user session.
These vulnerabilities were discovered and reported in April 2025 by watchTowr Labs researchers Sonny Macdonald and Piotr Bazydlo. Commvault has since addressed all four issues in versions 11.32.102 and 11.36.60, while users of the Commvault SaaS platform remain unaffected.
Cybersecurity experts warn that threat actors could chain these vulnerabilities into pre-authenticated exploit sequences to achieve remote code execution. One attack chain combines CVE-2025-57791 with CVE-2025-57790, while another links CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790. The latter chain is only effective if the default administrative password remains unchanged, underscoring the critical risk of leaving default credentials unmodified.
Conclusion:
In conclusion, the recently identified vulnerabilities in Commvault pose a significant risk of remote code execution, especially when chained by attackers. Timely patching to versions 11.32.102 or 11.36.60 is essential to mitigate these threats. Organizations should also review and update default administrative credentials to prevent exploitation. Continuous monitoring and adherence to security best practices remain critical to safeguarding Commvault deployments
These vulnerabilities may enable attackers to obtain unauthorized access, elevate privileges, and run arbitrary code on impacted systems, putting sensitive data and critical backups at risk. Exploitation could result in system outages, data corruption or loss, and lateral movement across the network, creating substantial operational and reputational threats. Organizations that delay applying the updates remain highly exposed to targeted attacks.
https://thehackernews.com/2025/08/pre-auth-exploit-chains-found-in.html
