The Vault Exposure

The backup giant, Commvault, a leading global provider of data protection and management software, known for solutions that addresses the critical needs of modern businesses discovered four vulnerabilities in April.

These Vulnerabilities were found in Commvault’s Command Center backup platform,enabling attackers to chain them together for pre-authentication remote codeexecution (RCE).

These flaws pose a significant threat, particularly in large enterprises, and MSPs where Commvault manages sensitive backup data.

Vulnerabilities

CVE-2025-57788: Credentials Leak

·      Severity: Low

·       Attack Vector: Network

·       Privileges Required: None

·       User Interaction: None

·       Description: This weakness allows anunauthenticated attacker to obtain the password for a low-privileged useraccount.

CVE-2025-57789: Admin Password Decryption viaHard-Coded Key

·       Severity: Medium

·       Attack Vector: Network

·       Privileges Required: Undefined

·       User Interaction: None

·       Description: An elevation of privilege (EoP) vulnerability used to retrieve an encrypted admin password and decrypt it with a hardcoded Advanced Encryption Standard (AES) key.

CVE-2025-57791: Argument Injection for SessionToken Theft

·       Severity: Medium

·       Attack Vector: Network

·       Privileges Required: Undefined

·       User Interaction: None

·       Description: A security vulnerability that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Successful exploitation results in a valid user session for a low privilege role.

CVE-2025-57790: Path Traversal Leading to Webshell Deployment

Severity: High

• Attack Vector: Network
• Privileges Required: Undefined

·       User Interaction: None

·       Impact: Unauthorized Data Access, Remote CodeExecution, and Increased Risk of Ransomware Deployment

·       Description: This vulnerability stems from apath traversal issue that allows remote attackers to gain unauthorized access to the file system.

Exploitation Flow

An attackercould chain the vulnerabilities in this order:

Steal a low-privileged user password (CVE-2025-57788).

Use it to decrypt the administrator password and escalate privileges (CVE-2025-57789).

Exploit argument injection to obtain a session token without authentication (CVE-2025-57791).

Leverage the path traversal flaw to deploy a webshell and execute arbitrary remote commands (CVE-2025-57790).

Recommendation

The four vulnerabilities have all been fixed in versions 11.32.102 and 11.36.60. Organizations are advised to update to the latest patches.

Organizations that cannot apply updates right away should limit the exposure of vulnerable instances as much as possible and be on the lookout for unusual API activity and unexpected files popping up under web directories.

Conclusion

Backup systems are a prime target, and Commvault is under active attack. Until fully patched, restrict access and monitor closely to safeguard critical data.