Commvault fixes RCE Flaws

Commvault fixes RCE Flaws

No Comments

Introduction

Recently, several critical vulnerabilities (CVE-2025-57788, CVE-2025-57789, CVE-2025-57790, and CVE-2025-57791) were discovered in Commvault’s Command Center backup platform, enabling attackers to chain them together for pre-authentication remote code execution (RCE). These flaws pose a significant threat, particularly in enterprise environments where Commvault manages sensitive backup data.

Detailed Notes on Each Vulnerability

  • CVE-2025-57788: Credentials Leak
    This flaw allows an unauthenticated attacker to obtain the password for a low-privileged user account. Improper credential management or exposure in a system endpoint could enable this leak, providing a crucial initial point of access for further exploitation within the environment.
  • CVE-2025-57789: Admin Password Decryption via Hard-Coded Key
    Here, knowing a low-privileged password (from the previous bug) is enough. An attacker can exploit a weak cryptographic implementation that uses a factory-set, hard-coded key to decrypt the built-in administrator credentials. This essentially hands attackers the keys to the kingdom, dramatically escalating their privileges within the backup system.
  • CVE-2025-57791: Argument Injection for Session Token Theft
    By abusing an argument injection bug in the login request, an attacker can manipulate parameters to obtain a valid session token for a low-privilege account. With this token, they gain authenticated access that sidesteps traditional login restrictions, opening the door for further manipulation of the system.
  • CVE-2025-57790: Path Traversal Leading to Webshell Deployment
    This vulnerability allows the attacker to write files to arbitrary locations in web-accessible directories. Exploiting this, an attacker could place a JSP webshell—essentially a backdoor—on the server, providing persistent, stealthy access and the ability to execute arbitrary commands via the web interface.

Exploitation Flow

An attacker could combine these vulnerabilities in the following sequence:

  1. Leak a low-privileged user password (CVE-2025-57788).
  2. Use it to decrypt the administrator password and escalate privileges (CVE-2025-57789).
  3. Abuse argument injection to gain a session token without proper authentication (CVE-2025-57791).
  4. Deploy a webshell using the path traversal bug (CVE-2025-57790), then execute arbitrary commands remotely.

Conclusion

This chain of vulnerabilities in Commvault’s Command Center highlights the risks posed by credential management issues, hard-coded secrets, weak input validation, and file upload flaws—especially in security-critical software. The combination enables unauthenticated attackers to obtain credentials, escalate privileges, bypass authentication, and gain persistent RCE within enterprise backup infrastructure. Prompt patching is essential.

Until fully remediated, organizations should strictly restrict network access to Commvault systems and closely monitor for suspicious access or file activities, as exploit code is public and active attacks are ongoing.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.