Commvault has launched an replace to handle 4 safety gaps that may be exploited to realize distant code execution on delicate cases.
The checklist of vulnerabilities recognized within the Commvault model earlier than 11.36.60 is as follows:
- CVE-2025-57788 (CVSS rating: 6.9) – A identified login mechanism vulnerability permits unrecognized attackers to make API calls with out the necessity for person credentials.
- CVE-2025-57789 (CVSS rating: 5.3) – A vulnerability throughout the setup section between set up and preliminary administrator login permits distant attackers to use default credentials to realize administrative management
- CVE-2025-57790 (CVSS rating: 8.7) – Path traversal vulnerability that enables distant attackers to carry out illicit file system entry through path traversal points
- CVE-2025-57791 (CVSS rating: 6.9) – A vulnerability that enables distant attackers to inject or manipulate command line arguments handed to inner parts as a consequence of inadequate enter validation, leading to legitimate person classes for low sovereign roles.
Watchtowr Labs researchers Sonny MacDonald and Piotr Bazydlo are acknowledged to have found and reported 4 safety flaws in April 2025. All flagged vulnerabilities had been resolved in variations 11.32.102 and 11.36.60. Commvault SaaS options should not affected.
In an evaluation revealed Wednesday, the cybersecurity firm mentioned menace actors may create these vulnerabilities into two earlier vital exploit chains to realize code execution combining CVE-2025-57791 and CVE-2025-57790. CVE-2025-57790.
It’s price noting that the second Pre-Auth distant code execution chain will solely succeed if the built-in administrator password has not been modified for the reason that set up.
This disclosure comes virtually 4 months after WatchTowr Labs reported a vital Commvault Command Heart flaw (CVE-2025-34028, CVSS rating: 10.0) that enables arbitrary code execution in affected installations.
A month later, the US Cybersecurity and Infrastructure Safety Company (CISA) added the vulnerability to its identified Exploited Vulnerabilities (KEV) catalog, citing proof of aggressive exploitation within the wild.
