Critical Security Flaw in Commvault Backup Suite Allows Remote Code Execution

A critical security vulnerability has been identified in on-premises deployments of the Commvault backup and replication suite, enabling unauthenticated attackers to execute remote code. Researchers at watchTowr Labs uncovered four distinct flaws that, when chained together, allow full system compromise. While proof-of-concept exploits have not been publicly released, the technical details provided significantly lower the barrier for threat actors to develop working attacks. Organizations relying on Commvault for data protection are urged to apply the latest patches immediately to mitigate risk.

Commvault serves as a comprehensive enterprise data management platform, widely adopted by large corporations, government bodies, and service providers for backup, restoration, compliance, and workload migration. Its on-premises deployment is common in environments where regulatory or operational constraints rule out cloud-based alternatives. The vulnerabilities discovered by researchers Sonny Macdonald and Piotr Bazydlo impact essential components of the Commvault infrastructure, including the Web Server, Command Center, and in certain cases, the CommServe, the central coordination hub for the entire system.

The first flaw, CVE-2025-57788, exposes the password of a low-privileged user account. A second issue, CVE-2025-57789, permits decryption of the built-in administrator password through a hard-coded key, enabling privilege escalation. CVE-2025-57791 involves argument injection during login, allowing an attacker to obtain a session token with limited rights. The final vulnerability, CVE-2025-57790, is a path traversal flaw that could let adversaries write files to web directories. This opens the door for uploading a JSP web shell and executing arbitrary commands.

These vulnerabilities can be leveraged in two separate attack chains to achieve remote code execution. One method depends on the built-in admin password remaining unchanged since installation. It combines CVE-2025-57788 for authentication bypass, CVE-2025-57789 for privilege escalation, and CVE-2025-57790 for final code execution. The second approach works against any unpatched instance and uses CVE-2025-57791 to bypass authentication before deploying a web shell via the path traversal flaw. Researchers emphasized that no special preconditions are needed for the second method to succeed.

Backup systems represent a high-value target for cybercriminals, especially ransomware groups, since compromising them can lead to data destruction or theft while eliminating recovery options. The affected versions include Commvault’s main branch releases 11.32.0 through 11.32.101 and 11.36.0 through 11.36.59 on both Linux and Windows. Patches are available in versions 11.32.102 and 11.36.60. The innovation branch versions 11.38.20 to 11.38.25 are also vulnerable and have been addressed in release 11.38.32. The company confirmed that SaaS deployments are not impacted.

For organizations unable to patch immediately, reducing network exposure of vulnerable instances is critical. Monitoring for unusual API behavior or unexpected files in web directories can help detect exploitation attempts. This disclosure follows earlier findings by watchTowr involving CVE-2025-34028, a similar path traversal issue in Commvault’s innovation branch that led to pre-authentication remote code execution. Attackers weaponized that flaw within a week of its public disclosure, underscoring the urgency of prompt remediation.

(Source: HelpNet Security)