Full Report
Multiple vulnerabilities have been discovered in Commvault Backup & Recovery, which when chained together, could allow for remote code execution. Commvault Backup & Recovery is a comprehensive data protection solution that offers a range of services for safeguarding data across various environments, including on-premises, cloud, and hybrid setups. Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, escalate privileges, run arbitrary commands, and potentially drop a JSP webshell.
Analysis Summary
# Vulnerability: Chained RCE in Commvault Backup & Recovery
## CVE Details
The article describes multiple vulnerabilities that can be chained for RCE, but does not assign specific CVSS scores. We list the individual CVEs mentioned:
- CVE ID: CVE-2025-57788
- CVE ID: CVE-2025-57789
- CVE ID: CVE-2025-57790
- CVE ID: CVE-2025-57791
- CVSS Score: N/A (Severity based on context: High/Critical due to RCE potential)
- CWE: N/A (Multiple components involved)
## Affected Systems
- Products: Commvault Backup & Recovery
- Versions:
- 11.32.0 through 11.32.101 (Linux and Windows)
- 11.36.0 through 11.36.59 (Linux and Windows)
- Configurations: The exploitation chains depend on configuration context (e.g., whether the default admin password remains unchanged for one chain).
## Vulnerability Description
Multiple vulnerabilities exist in Commvault Backup & Recovery that, when chained, permit Remote Code Execution (RCE).
**Key Flaws Identified:**
1. **CVE-2025-57788 (Initial Access):** Allows unauthenticated remote attackers to execute API calls without credentials due to a flaw in a login mechanism.
2. **CVE-2025-57789 (Privilege Escalation):** Exploitable during the brief window between installation and the first administrator login, potentially allowing an attacker using the default credential to gain admin control.
3. **CVE-2025-57790 (RCE via Path Traversal):** Enables remote attackers to perform unauthorized file system access via a path traversal issue, potentially leading to RCE.
4. **CVE-2025-57791 (Authentication Bypass):** Allows remote attackers to bypass authentication via insufficient input validation on command-line arguments, resulting in a valid user session for a low-privilege role.
**Chains for RCE:**
* **Chain 1 (Requires Default Admin Password):** CVE-2025-57788 (Auth Bypass) -> CVE-2025-57789 (Privilege Escalation) -> CVE-2025-57790 (RCE).
* **Chain 2 (Works on any unpatched instance):** CVE-2025-57791 (Auth Bypass) -> CVE-2025-57790 (RCE by injecting a webshell).
## Exploitation
- Status: PoC available (Researchers from watchTowr Labs posted a detailed write-up).
- Complexity: Likely Low to Medium, given the requirement to chain vulnerabilities, but initial access vectors appear low complexity.
- Attack Vector: Network (Remote, Unauthenticated access possible for initial steps).
## Impact
Successful exploitation allows an attacker to:
- Bypass authentication.
- Escalate privileges.
- Run arbitrary commands.
- Drop a JSP webshell (leading to RCE).
- **Confidentiality:** High (Arbitrary command execution leads to data exfiltration).
- **Integrity:** High (Arbitrary command execution and webshell drop).
- **Availability:** High (System compromise).
## Remediation
### Patches
Apply the updates provided by Commvault immediately after appropriate testing. Specific patch versions are not listed in the summary but should be obtained via the vendor advisories.
### Workarounds
No specific technical workarounds are detailed in this summary, but general best practices include:
1. Immediately changing the administrative password post-installation to mitigate the RCE chain reliant on default credentials (CVE-2025-57789 context).
2. Ensuring rigorous input validation on any directly exposed components, if possible (mitigates general injection vectors).
## Detection
- **Indicators of Compromise (IOCs):** Attempts to utilize known API mechanisms without valid credentials (CVE-2025-57788), unexpected file system access patterns indicative of path traversal (CVE-2025-57790), or the presence of newly dropped JSP webshells on the affected servers.
- **Detection Methods and Tools:** Perform authenticated vulnerability scans (SCAP-compliant) quarterly or more frequently. Monitor application logs for unusual API call sequences or failed authentication attempts followed by successful low-privilege access (CVE-2025-57791).
## References
- Vendor Advisories:
- https://documentation.commvault.com/securityadvisories/CV_2025_08_1.html
- https://documentation.commvault.com/securityadvisories/CV_2025_08_2.html
- https://documentation.commvault.com/securityadvisories/CV_2025_08_3.html
- https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html
- Other:
- https://www.helpnetsecurity.com/2025/08/20/commvault-backup-suite-vulnerabilities-fixed/