Commvault has announced important security updates to address four vulnerabilities that could allow remote code execution on affected versions of its software, specifically those prior to version 11.36.60.
The identified vulnerabilities include:
-
CVE-2025-57788 (CVSS score: 6.9) – This flaw exists in a known login mechanism that permits unauthenticated attackers to execute API calls without any user credentials.
-
CVE-2025-57789 (CVSS score: 5.3) – This vulnerability arises during the setup phase after installation and before the first administrator login, allowing attackers to exploit default credentials to gain administrative access.
-
CVE-2025-57790 (CVSS score: 8.7) – A path traversal vulnerability that enables remote attackers to access the file system unauthorizedly, potentially leading to remote code execution.
-
CVE-2025-57791 (CVSS score: 6.9) – This issue allows attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation, thus creating a valid user session for users with low privileges.
The vulnerabilities were discovered by researchers Sonny Macdonald and Piotr Bazydlo from watchTowr Labs in April 2025. Commvault has since patched these vulnerabilities in versions 11.32.102 and 11.36.60, with the Commvault SaaS solution remaining unaffected.
In their analysis, watchTowr Labs explained that these vulnerabilities could potentially be combined into two pre-authenticated exploit chains by threat actors. The first combines CVE-2025-57791 and CVE-2025-57790, while the second involves CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790. The latter chain would only succeed if the default admin password remained unchanged since installation.
This disclosure follows a previous report nearly four months prior concerning a critical flaw in the Commvault Command Center (CVE-2025-34028), which carries a CVSS score of 10.0 and could enable arbitrary code execution on vulnerable installations. A month later, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.