Article Details

Commvault releases patches for two nasty bug chains after exploits proven. Researchers disclosing their findings said 'it's as bad as it sounds'. Researchers at watchTowr just published working proof-of-concept exploits for two unauthenticated remote code execution bug chains in backup giant Commvault. They reported the four vulnerabilities to Commvault in April, and the vendor released patches on Wednesday. Commvault SaaS is unaffected. All users are advised to apply the available updates, especially since the first of the two chains works against all unpatched instances. The first chain involves two vulnerabilities (CVE-2025-57791 and CVE-2025-57790), an argument injection in CommServe and a path traversal bug respectively. The severity scores for the flaws are not especially concerning on their own, but chained together they become more dangerous. In Commvault's advisory, it describes CVE-2025-57791 as a vulnerability that allows attackers to retrieve a valid user session for a low-privilege role, assigning it a CVSS score of 6.9 (medium severity). In its PoC, watchTowr painted a different view, showing how to gain access to a local admin account. The argument injection bug at the heart of this chain lies in one of Commvault's QCommands. They're used to carry out admin functions, and their use is protected by requiring a valid API token. QLogin is a QCommand that handles authentication, and researchers found that by altering fields in the request to the Login endpoint, they could bypass the need for a password and generate an API token for the local admin user. The second vulnerability in the chain (CVE-2025-57790) carries the highest severity score of all four (8.7) that received patches today and is a path traversal flaw, a bug class CISA says should have been eradicated long ago. The researchers said an absolute path traversal in QCommand output writer allowed them to write a JSP webshell directly into the webroot, achieving RCE. "This combination is exploitable against any unpatched Commvault instance," the researchers blogged. "We are not aware of preconditions or environmental limitations that would block it. It's as bad as it sounds, so we will not be publishing a Detection Artifact Generator for this one." The second chain, which watchTowr concedes is dependent on specific but common conditions within a target's environment being met, also makes use of the same path traversal bug to ultimately achieve RCE, but does so after exploiting two additional, medium-severity flaws. First, there's CVE-2025-57788, which allows unauthenticated users to call APIs to bypass authentication.  WatchTowr found that by sending a specially crafted request to the Commvault server, they could leak the password of the low-privileged _PublicSharingUser_ account via a returned JSON web token. It carries a 6.9 severity score, and Commvault says that role-based access control can help limit customers' exposure to the bug, but falls short of serving as a workaround. CVE-2025-57789 comes after, and allows the attacker to gain admin access, and full control of the target system. The bug bridges the gap between CVE-2025-57788 and CVE-2025-57790, which can't complete as a two-bug chain because the _PublicSharingUser_ account doesn't have the privileges to drop a webshell. WatchTowr's Sonny and Piotr Bazydlo, who worked together on the research, found that the low-privileged account could retrieve user details, including password encryption keys for admin accounts. They then found the method in Commvault's code used to decrypt passwords, and used it against the retrieved admin password to log in as that admin. Notably, during watchTowr's version of the disclosure timeline, Commvault originally pushed back on this bug, saying it couldn't be feasibly exploited in real-world scenarios. The vendor argued the flaw was impractical, which may explain why the make-me-admin bug carries the lowest severity score (5.3) of all four vulnerabilities, namely because of the conditions that highly limit the exploitability. Note that the retrieved password was not hashed, but encrypted. This is only the case when the product is initially set up – the admin password set during this process is encrypted, but if it is ever changed, then it is hashed, making it more secure. In addition, according to watchTowr, the day before it disclosed the flaw to Commvault, the backup vendor issued version 11.38.25, which introduced password hashing after the first successful login. In response, watchTowr stood by its findings: "Even so, this chain will likely still impact many Commvault instances. And if it doesn't, the first chain we described remains unaffected by these limitations. "It's also worth noting that many Commvault administrators don't use the built-in admin account at all, which could leave this attack path viable for longer." The Register contacted Commvault for a response.