Pre-auth exploit chains in Commvault enable remote code execution
Summary
Hide β²
Show βΌ
Commvault has patched four vulnerabilities that could be chained to achieve remote code execution on affected instances. The flaws affect versions before 11.36.60 and were discovered by watchTowr Labs researchers. Two exploit chains were identified, one of which requires the default admin password to be unchanged. The vulnerabilities were reported in April 2025 and resolved in versions 11.32.102 and 11.36.60. The vulnerabilities include a login mechanism flaw (CVE-2025-57788), a setup phase default credential issue (CVE-2025-57789), a path traversal vulnerability (CVE-2025-57790), and a command-line argument injection flaw (CVE-2025-57791).
Timeline
-
21.08.2025 19:38 π° 1 articles
Commvault patches four vulnerabilities enabling remote code execution
Commvault has released updates to fix four vulnerabilities that could be chained to achieve remote code execution on affected instances. The flaws were discovered by watchTowr Labs researchers in April 2025 and affect versions before 11.36.60. Two exploit chains were identified, one of which requires the default admin password to be unchanged. The vulnerabilities were resolved in versions 11.32.102 and 11.36.60.
Show sources
- Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks β thehackernews.com β 21.08.2025 19:38
Information Snippets
-
Commvault has released updates to address four vulnerabilities affecting versions before 11.36.60.
First reported: 21.08.2025 19:38π° 1 source, 1 articleShow sources
- Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks β thehackernews.com β 21.08.2025 19:38
-
The vulnerabilities include CVE-2025-57788 (CVSS 6.9), CVE-2025-57789 (CVSS 5.3), CVE-2025-57790 (CVSS 8.7), and CVE-2025-57791 (CVSS 6.9).
First reported: 21.08.2025 19:38π° 1 source, 1 articleShow sources
- Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks β thehackernews.com β 21.08.2025 19:38
-
The flaws were discovered by watchTowr Labs researchers Sonny Macdonald and Piotr Bazydlo in April 2025.
First reported: 21.08.2025 19:38π° 1 source, 1 articleShow sources
- Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks β thehackernews.com β 21.08.2025 19:38
-
The vulnerabilities can be chained into two pre-authenticated exploit chains to achieve remote code execution.
First reported: 21.08.2025 19:38π° 1 source, 1 articleShow sources
- Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks β thehackernews.com β 21.08.2025 19:38
-
One exploit chain combines CVE-2025-57791 and CVE-2025-57790.
First reported: 21.08.2025 19:38π° 1 source, 1 articleShow sources
- Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks β thehackernews.com β 21.08.2025 19:38
-
The second exploit chain involves CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790, and requires the default admin password to be unchanged.
First reported: 21.08.2025 19:38π° 1 source, 1 articleShow sources
- Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks β thehackernews.com β 21.08.2025 19:38
-
The vulnerabilities were resolved in Commvault versions 11.32.102 and 11.36.60.
First reported: 21.08.2025 19:38π° 1 source, 1 articleShow sources
- Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks β thehackernews.com β 21.08.2025 19:38
-
Commvault SaaS solution is not affected by these vulnerabilities.
First reported: 21.08.2025 19:38π° 1 source, 1 articleShow sources
- Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks β thehackernews.com β 21.08.2025 19:38
Similar Happenings
CVE-2025-5086 in DELMIA Apriso Exploited in the Wild
A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.
Remote Code Execution Vulnerability in Samsung's libimagecodec.quram.so Library Exploited in the Wild
A remote code execution vulnerability in Samsung's libimagecodec.quram.so library, tracked as CVE-2025-21043, was actively exploited in zero-day attacks targeting Samsung Android devices running Android 13, 14, 15, or 16. The flaw, reported by Meta and WhatsApp, allows attackers to execute arbitrary code remotely due to an out-of-bounds write weakness. The CVSS score for the vulnerability is 8.8. Samsung has released a patch for the vulnerability in the September 2025 Security Maintenance Release (SMR). The exploit may affect other instant messengers using the vulnerable library. Users are advised to update their devices to the latest security patch.
Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations
The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.
Critical SessionReaper vulnerability patched in Adobe Commerce and Magento Open Source
Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. This flaw, with a CVSS score of 9.1, could allow unauthenticated attackers to take control of customer accounts via the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. Adobe Commerce on Cloud customers were already protected by a WAF rule deployed as an interim measure. The vulnerability is considered one of the most severe in the platform's history, with potential for widespread exploitation. Administrators are advised to apply the patch immediately, as it disables certain internal Magento functionalities that may affect custom or external code. The affected versions include Adobe Commerce 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier. The affected versions also include Adobe Commerce B2B 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier. The affected versions include Magento Open Source 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, and 2.4.5-p14 and earlier. The Custom Attributes Serializable module versions 0.1.0 to 0.4.0 are also affected.
Critical SAP NetWeaver Command Execution Vulnerabilities Patched
SAP has patched three critical vulnerabilities in NetWeaver, its middleware for business applications. The most severe flaw, CVE-2025-42944, allows unauthenticated attackers to execute arbitrary OS commands via insecure deserialization. Two other critical issues, CVE-2025-42922 and CVE-2025-42958, enable authenticated users to upload arbitrary files and unauthorized users to access administrative functions. These vulnerabilities affect SAP's ERP, CRM, SRM, and SCM applications, widely used in large enterprise networks. The patches come amid ongoing exploitation of another critical SAP vulnerability, CVE-2025-42957, which affects S/4HANA, Business One, and NetWeaver products. SAP released 21 new and four updated security notes on September 2025 patch day, including updates for NetWeaver AS ABAP and other SAP products. SAP has also released a patch for a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916, CVSS score: 8.1).