CVE-2025-57788: 
Commvault vulnerability analysis and mitigation

A vulnerability (CVE-2025-57788) was discovered in Commvault versions before 11.36.60, affecting both Linux and Windows platforms. The vulnerability exists in a known login mechanism that allows unauthenticated attackers to execute API calls without requiring user credentials. The issue was discovered and reported by Sonny and Piotr Bazydlo of watchTowr in April 2025, with patches released in August 2025 (Commvault Advisory, Hacker News).

The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium) and CVSS v3.1 base score of 6.5 (Medium). The vulnerability stems from an argument injection flaw in the QLogin command functionality, where attackers can manipulate the authentication process through the commserver and password parameters. The issue specifically involves the ability to inject the -localadmin argument, which when executed with elevated privileges through the .NET backend process, allows authentication bypass (WatchTowr Labs).

The vulnerability allows unauthenticated attackers to bypass authentication controls and execute API calls without valid credentials. While Role-Based Access Control (RBAC) helps limit the exposure, it does not completely eliminate the risk. The vulnerability can potentially lead to unauthorized access to sensitive backup data and system configurations (Commvault Advisory, Fortra).

Commvault has released patches to address this vulnerability in versions 11.32.102 and 11.36.60. Organizations running affected versions should upgrade immediately to the resolved maintenance release. The Commvault SaaS solution is not affected by this vulnerability and requires no customer action (Commvault Advisory).