Data backup and replication specialist Commvault has issued patches covering off four vulnerabilities in its core software product that, left unaddressed, could be combined to achieve two distinct remote code execution (RCE) exploit chains.
The four issues were discovered by WatchTowr vulnerability researchers who were probing Commvault’s software after having stumbled upon another RCE flaw – CVE-2025-34028 – earlier this year.
“Like our friendly neighbourhood ransomware gangs and APT groups, we’ve continued to spend irrational amounts of time looking at critical enterprise-grade solutions – the ones that we think are made of the really good string,” the researchers said in their disclosure notice. “[And] as we have seen throughout history…backup and replication solutions represent a high-value target for threat actors.
“While discovering and identifying CVE-2025-34028 that we’ve discussed before, we…found further weaknesses – ultimately culminating in four more vulnerabilities discussed today that, when combined, evolve like your favourite Pokémon…into two distinct pre-authentication RCE chains,” they said.
The four vulnerabilities have been assigned the following common vulnerability and exposure (CVE) designations – in numerical order – CVE-2025-57788, CVE-2025-57789, CVE-2025-57790 and CVE-2025-57791 respectively.
The first attack chain found by WatchTowr joins together CVE-2025-57791, with CVE-2025-57790.
CVE-2025-57791 is an argument injection vulnerability that allows a remote attacker to inject or manipulate command-line arguments passed to internal components – this arises due to insufficient input validation and successfully exploited, creates a valid application programming interface (API) token for a user session for a low-privileged account.
CVE-2025-57790 is a path traversal vulnerability enabling a remote attacker to access their target’s file systems and write a JavaServer Pages (JSP) webshell into webroot, thus achieving RCE.
The second attack chain combines CVE-2025-57788 and CVE-2025-57789 with CVE-2025-57790.
CVE-2025-57788 is an information disclosure vulnerability stems from an issue in the login mechanism that allows an unauthenticated party to execute an API call and leak valid credentials.
CVE-2025-57789, an elevation of privilege (EoP) vulnerability, can then be used in highly specific circumstances – between installation and the first admin logon, according to Commvault – to retrieve an encrypted admin password and decrypt it with a hardcoded Advanced Encryption Standard (AES) key.
From there, an attacker can again use the fourth, path traversal vulnerability to achieve RCE conditions.
The first of the two chains is applicable to any unpatched Commvault instance, said WatchTowr, but the second is acknowledged to need a very set of specific conditions to be present and met to become exploitable. None of them are applicable to software-as-a-service (SaaS) users.
WatchTowr presented the issues to Commvault beginning on 15 April, and following the usual back-and-forth, full public disclosure was scheduled for 20 August following the publication of Commvault’s official advisory on 19 August.
The patches cover versions 11.32.0 to 11.32.101, and versions 11.36.0 to 11.36.59 of Commvault for Linux and Windows environments, and take them to version 11.32.102 and 11.36.60 respectively. WatchTowr’s team has additionally stated that versions 11.38.20 through 11.38.25 have been patched to 11.38.32, although this is not noted in Commvault’s advisory notice at the time of writing.
WatchTowr’s researchers have not published proof-of-concept code themselves, but motivated threat actors will likely be looking into the flaws in short order, so on-premise customers are advised to apply all four patches as soon as is practical to safeguard against exploitation.
A Commvault spokesperson said: “We thank external researcher WatchTowr for responsibly disclosing these vulnerabilities. Patches were promptly made available and customers were not impacted. The later versions of our code do not have these vulnerabilities.”
