Commvault plugs holes in backup suite that allow remote code execution
Commvault has fixed four security vulnerabilities that may allow unauthenticated attackers to compromise on-premises deployments of its flagship backup and replication suite.
Technical details about the vulnerabilities have been published on Wednesday by researchers at watchTowr Labs, who also proved that they could be chained together to achieve remote code execution.
The researchers refrained from publishing PoC exploits, but their very detailed write-up lowers the barrier for creating them. Admins who run Commvault on-prem should update to the latest maintenance versions as quickly as possible.
The vulnerabilities
Commvault is an enterprise data protection and management platform that’s used for backing up and restoring data, migrating workloads, managing compliance and retention, and more.
Commvault is primarily used by large enterprises, service providers, and government agencies that need to back up and manage a lot of data. It’s also often deployed on-premises in environments where SaaS backup is not an option (e.g., due to regulatory compliance requirements).
The four vulnerabilities unearthed by watchTowr researchers Sonny Macdonald and Piotr Bazydlo affect core parts of Commvault’s management plane, including the Web Server, Command Center, and in some cases the CommServe – the “central brain” of a Commvault deployment.
One bug (CVE-2025-57788) leaks the password for a low-privileged account. Another (CVE-2025-57789) lets an attacker decrypt the built-in administrator password using a hard-coded key (allowing privilege escalation).
A third flaw (CVE-2025-57791) abuses an argument injection in a login request to grab a low privilege session token. The final (CVE-2025-57790) is a path traversal issue that may allow attackers to write files into web directories, which makes it possible to drop a JSP webshell and then run arbitrary commands.
The exploits
The vulnerabilities can be exploited as part of two separate remote code execution (RCE) chains.
One of the chains works only of the if the built-in admin password hasn’t been changed since installation, and relies on exploiting CVE-2025-57788 (for bypassing authentication), CVE-2025-57789 (to escalate privileges), and CVE-2025-57790 to achieve RCE.
The second one – which apparently works against any unpatched CommVault instance – uses CVE-2025-57791 to bypass authentication and CVE-2025-57790 for RCE (by injecting a webshell).
“We are not aware of pre-conditions or environmental limitations that would block it,” the researchers pointed out.
What to do?
Backup software is a tempting target because it holds the keys to an organization’s data. Attackers who compromise a backup system can destroy recovery points or steal sensitive information. Ransomware operators in particular have a history of going after backup servers to make sure victims cannot restore their systems.
The four vulnerabilities affect Commvault main branch versions 11.32.0 – 11.32.101 and 11.36.0 – 11.36.59, on Linux and Windows. They have all been fixed in versions 11.32.102 and 11.36.60. (The company says that the vulnerabilities do not apply to the Commvault SaaS solution.)
WatchTowr researchers say that versions 11.38.20 – 11.38.25 of Commvault’s “innovation” branch are also affected, and the flaws have been patched in version 11.38.32.
Organizations that cannot apply updates right away should limit the exposure of vulnerable instances as much as possible and be on the lookout for unusual API activity and unexpected files popping up under web directories.
Earlier this year, watchTowr researchers revealed details about CVE-2025-34028, a path traversal vulnerability affecting Commvault Command Center (Innovation Release) and allowing pre-auth RCE. They also published a proof-of-concept exploit, and it took only a week or so for attackers to leverage the flaw.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!