Researchers disclosing their findings said 'it's as bad as it sounds'
August 20, 2025 By Connor Jones
Researchers at watchTowr just published working proof-of-concept exploits for two unauthenticated remote code execution bug chains in backup giant Commvault.
They reported the four vulnerabilities to Commvault in April, and the vendor released patches on Wednesday. Commvault SaaS is unaffected.
All users are advised to apply the available updates, especially since the first of the two chains works against all unpatched instances.
The first chain involves two vulnerabilities (CVE-2025-57791 and CVE-2025-57790), an argument injection in CommServe and a path traversal bug respectively. The severity scores for the flaws are not especially concerning on their own, but chained together they become more dangerous.
In Commvault's advisory, it describes CVE-2025-57791 as a vulnerability that allows attackers to retrieve a valid user session for a low-privilege role, assigning it a CVSS score of 6.9 (medium severity).
In its PoC, watchTowr painted a different view, showing how to gain access to a local admin account.
The argument injection bug at the heart of this chain lies in one of Commvault's QCommands. They're used to carry out admin functions, and their use is protected by requiring a valid API token.
QLogin is a QCommand that handles authentication, and researchers found that by altering fields in the request to the Login endpoint, they could bypass the need for a password and generate an API token for the local admin user.
The second vulnerability in the chain (CVE-2025-57790) carries the highest severity score of all four (8.7) that received patches today and is a path traversal flaw, a bug class CISA says should have been eradicated long ago.
