Commvault customers advised to patch two RCE exploit chains
Information backup and replication specialist Commvault has issued patches protecting off 4 vulnerabilities in its core software program product that, left unaddressed, might be mixed to realize two distinct distant code execution (RCE) exploit chains.
The 4 points have been found by WatchTowr vulnerability researchers who have been probing Commvault’s software program after having stumbled upon one other RCE flaw – CVE-2025-34028 – earlier this yr.
“Like our pleasant neighbourhood ransomware gangs and APT teams, we’ve continued to spend irrational quantities of time taking a look at crucial enterprise-grade options – those that we expect are made from the actually good string,” the researchers stated of their disclosure discover. “[And] as we have now seen all through historical past…backup and replication options signify a high-value goal for risk actors.
“Whereas discovering and figuring out CVE-2025-34028 that we have mentioned earlier than, we…discovered additional weaknesses – in the end culminating in 4 extra vulnerabilities mentioned in the present day that, when mixed, evolve like your favorite Pokémon…into two distinct pre-authentication RCE chains,” they stated.
The 4 vulnerabilities have been assigned the next frequent vulnerability and publicity (CVE) designations – in numerical order – CVE-2025-57788, CVE-2025-57789, CVE-2025-57790 and CVE-2025-57791 respectively.
The primary assault chain discovered by WatchTowr joins collectively CVE-2025-57791, with CVE-2025-57790.
CVE-2025-57791 is an argument injection vulnerability that enables a distant attacker to inject or manipulate command-line arguments handed to inner elements – this arises on account of inadequate enter validation and efficiently exploited, creates a sound software programming interface (API) token for a consumer session for a low-privileged account.
CVE-2025-57790 is a path traversal vulnerability enabling a distant attacker to entry their goal’s file techniques and write a JavaServer Pages (JSP) webshell into webroot, thus reaching RCE.
The second assault chain combines CVE-2025-57788 and CVE-2025-57789 with CVE-2025-57790.
CVE-2025-57788 is an info disclosure vulnerability stems from a difficulty within the login mechanism that enables an unauthenticated occasion to execute an API name and leak legitimate credentials.
CVE-2025-57789, an elevation of privilege (EoP) vulnerability, can then be utilized in extremely particular circumstances – between set up and the primary admin logon, in response to Commvault – to retrieve an encrypted admin password and decrypt it with a hardcoded Superior Encryption Commonplace (AES) key.
From there, an attacker can once more use the fourth, path traversal vulnerability to realize RCE circumstances.
The primary of the 2 chains is relevant to any unpatched Commvault occasion, stated WatchTowr, however the second is acknowledged to wish a really set of particular circumstances to be current and met to develop into exploitable. None of them are relevant to software-as-a-service (SaaS) customers.
WatchTowr offered the problems to Commvault starting on 15 April, and following the same old back-and-forth, full public disclosure was scheduled for 20 August following the publication of Commvault’s official advisory on 19 August.
The patches cowl variations 11.32.0 to 11.32.101, and variations 11.36.0 to 11.36.59 of Commvault for Linux and Home windows environments, and take them to model 11.32.102 and 11.36.60 respectively. WatchTowr’s crew has moreover acknowledged that variations 11.38.20 via 11.38.25 have been patched to 11.38.32, though this isn’t famous in Commvault’s advisory discover on the time of writing.
WatchTowr’s researchers haven’t revealed proof-of-concept code themselves, however motivated risk actors will probably be wanting into the issues in brief order, so on-premise prospects are suggested to use all 4 patches as quickly as is sensible to safeguard towards exploitation.
A Commvault spokesperson stated: “We thank exterior researcher WatchTowr for responsibly disclosing these vulnerabilities. Patches have been promptly made accessible and prospects weren’t impacted. The later variations of our code should not have these vulnerabilities.”
