Commvault: High-risk gap allows malicious code to be injected

There are security gaps in the Commvault backup software that allow attackers to inject malicious code, among other things. The manufacturer is providing updates to patch the vulnerabilities.

The most serious vulnerability is of the path traversal type and allows attackers unauthorized access to the file system. This could lead to the execution of malicious code from the network (CVE-2025-57790 / EUVD-2025-25256, CVSS 8.7, risk"high"). However, attackers need at least minimal rights in the system to do this.

Further vulnerabilities in Commvault

Due to insufficient checks, attackers can also infiltrate or manipulate command line parameters from the network, which are passed on to internal components (CVE-2025-57791 / EUVD-2025-25255, CVSS 6.9, risk"medium"). Unauthenticated malicious actors from the network can also execute API calls without providing credentials. This vulnerability affects a "known log-in mechanism". Role-based access controls (RBAC) should limit the attack surface, but cannot eliminate the risk (CVE-2025-57788 / EUVD-2025-25258, CVSS 6.9, risk"medium").

After installation, Commvault provides a log-in with standard access data. Admins must change this the first time they log in. In the period in between, however, attackers can misuse these default credentials – but no backup jobs can be created at this time (CVE-2025-57789 / EUVD-2025-25257, CVSS 5.3, risk "medium").

The vulnerabilities plug the Commvault versions for Linux and Windows 11.32.102 and 11.36.60 and newer. The versions provided as "Software as a Service" (SaaS) have already been patched by the manufacturer itself, so admins do not need to take any further action here.

Commvault's backup software is very popular with cyber criminals. They regularly abuse security gaps in it. In May, for example, a vulnerability with a maximum rating of CVSS 10 was attacked in Commvault, which also allowed attackers to smuggle code.

(dmk)