Researchers published proof-of-concept exploits for two unauthenticated remote code execution bug chains affecting Commvault on-premises instances. Four vulnerabilities were reported and patches were released; Commvault SaaS is unaffected. The first chain combines an argument injection (CVE-2025-57791) that can retrieve a valid low-privilege session and a path traversal (CVE-2025-57790) to escalate to local admin. QCommands and the QLogin endpoint are central to the exploit, allowing API token creation without a password. The path traversal can write a JSP webshell to the webroot, achieving full RCE. All unpatched instances are at risk; apply updates immediately.
The first chain involves two vulnerabilities ( CVE-2025-57791 and CVE-2025-57790), an argument injection in CommServe and a path traversal bug respectively. The severity scores for the flaws are not especially concerning on their own, but chained together they become more dangerous. In Commvault's advisory, it describes CVE-2025-57791 as a vulnerability that allows attackers to retrieve a valid user session for a low-privilege role, assigning it a CVSS score of 6.9 (medium severity).
The argument injection bug at the heart of this chain lies in one of Commvault's QCommands. They're used to carry out admin functions, and their use is protected by requiring a valid API token. QLogin is a QCommand that handles authentication, and researchers found that by altering fields in the request to the Login endpoint, they could bypass the need for a password and generate an API token for the local admin user.
Collection
[
|
...
]