CVE-2024-13975: 
Commvault vulnerability analysis and mitigation

A local privilege escalation vulnerability has been identified in Commvault for Windows, affecting versions 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. The vulnerability was disclosed on July 25, 2025, and has been assigned CVE-2024-13975. The issue specifically impacts Windows access nodes that are used for file server data protection jobs (Commvault Advisory, VulnCheck).

The vulnerability is classified as an Improper Privilege Management issue (CWE-269). It has received a CVSS v4.0 base score of 8.5 (HIGH) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating local access requirements but high potential impact on confidentiality, integrity, and availability (VulnCheck).

When exploited, this vulnerability allows a local attacker who owns a client system with the file server agent installed to compromise any assigned Windows access nodes. This can lead to unauthorized access and potential lateral movement within the backup infrastructure (Commvault Advisory).

Commvault has released patches to address this vulnerability. Users should upgrade to the following versions based on their current installation: version 11.32.60 for 11.20.0, 11.28.0, and 11.32.0 installations; version 11.34.34 for 11.34.0 installations; and version 11.36.8 for 11.36.0 installations (Commvault Advisory).