Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks

Commvault has released updates to address four security gaps that could be exploited to achieve remote code execution on susceptible instances.

The list of vulnerabilities, identified in Commvault versions before 11.36.60, is as follows –

• CVE-2025-57788 (CVSS score: 6.9) – A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials
• CVE-2025-57789 (CVSS score: 5.3) – A vulnerability during the setup phase between installation and the first administrator login that allows remote attackers to exploit the default credentials to gain admin control
• CVE-2025-57790 (CVSS score: 8.7) – A path traversal vulnerability that allows remote attackers to perform unauthorized file system access through a path traversal issue, resulting in remote code execution
• CVE-2025-57791 (CVSS score: 6.9) – A vulnerability that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation, resulting in a valid user session for a low-privilege role

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

watchTowr Labs researchers Sonny Macdonald and Piotr Bazydlo have been credited with discovering and reporting the four security defects in April 2025. All the flagged vulnerabilities have been resolved in versions 11.32.102 and 11.36.60. Commvault SaaS solution is not affected.

In an analysis published Wednesday, the cybersecurity company said threat actors could fashion these vulnerabilities into two pre-authenticated exploit chains to achieve code execution on susceptible instances: One that combines CVE-2025-57791 and CVE-2025-57790, and the other that strings CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790.

It’s worth noting that the second pre-auth remote code execution chain becomes successful only if the built-in admin password hasn’t been changed since installation.

The disclosure comes nearly four months after watchTowr Labs reported a critical Commvault Command Center flaw (CVE-2025-34028, CVSS score: 10.0) that could allow arbitrary code execution on affected installations.

A month later, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.