Commvault vulnerabilities chained into pre-auth RCE

On August 19, 2025, Commvault issued security advisories addressing four vulnerabilities affecting CommServe, Web Server, and Command Center components in versions 11.32.0 to 11.32.101, and versions 11.36.0 to 11.36.59.

These vulnerabilities, tracked as CVE-2025-57788, CVE-2025-57789, CVE-2025-57790 and CVE-2025-57791, include argument injection, path traversal, unauthorized API access, and a flaw in the initial administrator login process.

Individually rated from Medium to High severity, these vulnerabilities do not pose a critical risk in isolation.

However, one day after the security advisory was issued, researchers published two exploit chains targeting Commvault’s enterprise backup infrastructure that could ultimately enable unauthenticated remote code execution (RCE).

The first exploit chain is broadly applicable to unpatched instances. The second requires a specific but common configuration, namely that the administrator password is stored in an encrypted format rather than hashed in the database.

These vulnerabilities are limited to on-premises deployments, where the affected components (such as the QCommand interface and internal API exposure) are directly accessible. They do not impact Commvault’s cloud-hosted SaaS offerings which isolate and abstract backend services from direct access.

As of August 21, there is no evidence of exploitation outside of controlled testing environments.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

Commvault serves as a central repository for backup and recovery, often holding privileged access to critical infrastructure. A successful exploit could allow attackers to exfiltrate sensitive data, tamper with backup integrity, or pivot deeper into the network.

While no exploitation in the wild has been confirmed for these specific flaws, proof-of-concept code exists, and the vulnerabilities are trivial to exploit once understood.

 Because Commvault often interfaces with domain controllers, hypervisors, and storage arrays, compromise of this system can serve as a launchpad for broader network intrusion.

Additionally, Commvault’s architecture exposes thousands of internal API endpoints through a proxy mechanism that bridges its Java front-end and .NET backend. This design flaw allows attackers to interact with backend services that were not intended to be externally accessible. Once inside, attackers can abuse these APIs to manipulate backup jobs, access sensitive data, or impersonate users.

If the compromised Commvault instance has access to backup repositories or production systems, the attacker could move laterally to those environments and potentially escalate privileges or deploy malware.