Commvault has released an update to address four security gaps that can be exploited to achieve remote code execution on sensitive instances.
The list of vulnerabilities identified in the Commvault version before 11.36.60 is as follows:
- CVE-2025-57788 (CVSS score: 6.9) – A known login mechanism vulnerability allows unrecognized attackers to make API calls without the need for user credentials.
- CVE-2025-57789 (CVSS score: 5.3) – A vulnerability during the setup phase between installation and initial administrator login allows remote attackers to exploit default credentials to gain administrative control
- CVE-2025-57790 (CVSS score: 8.7) – Path traversal vulnerability that allows remote attackers to perform illicit file system access via path traversal issues
- CVE-2025-57791 (CVSS score: 6.9) – A vulnerability that allows remote attackers to inject or manipulate command line arguments passed to internal components due to insufficient input validation, resulting in valid user sessions for low sovereign roles.
Watchtowr Labs researchers Sonny MacDonald and Piotr Bazydlo are acknowledged to have discovered and reported four security flaws in April 2025. All flagged vulnerabilities were resolved in versions 11.32.102 and 11.36.60. Commvault SaaS solutions are not affected.
In an analysis published Wednesday, the cybersecurity company said threat actors could create these vulnerabilities into two previous significant exploit chains to achieve code execution combining CVE-2025-57791 and CVE-2025-57790. CVE-2025-57790.
It is worth noting that the second Pre-Auth remote code execution chain will only succeed if the built-in administrator password has not been changed since the installation.
This disclosure comes almost four months after WatchTowr Labs reported a critical Commvault Command Center flaw (CVE-2025-34028, CVSS score: 10.0) that allows arbitrary code execution in affected installations.
A month later, the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its known Exploited Vulnerabilities (KEV) catalog, citing evidence of aggressive exploitation in the wild.
