CVE-2025-57788: 
Commvault vulnerability analysis and mitigation

A vulnerability (CVE-2025-57788) was discovered in Commvault versions prior to 11.36.60. The flaw exists in a known login mechanism that allows unauthenticated attackers to execute API calls without requiring user credentials. The vulnerability was discovered by researchers Sonny Macdonald and Piotr Bazydlo from watchTowr Labs in April 2025 and has been assigned a CVSS score of 6.9 (Medium) (Commvault Advisory, Hacker News).

The vulnerability stems from an argument injection issue in the QLogin authentication mechanism. When processing authentication requests with a commserver parameter, the system executes QLogin commands through a .NET process running with SYSTEM privileges. The flaw allows attackers to inject additional arguments into the authentication process, particularly the -localadmin switch, which can generate valid API tokens without requiring credentials. The vulnerability is made more severe by the fact that while Role-Based Access Control (RBAC) provides some limitations, it does not completely eliminate the risk (WatchTowr Labs).

The vulnerability enables unauthenticated attackers to bypass authentication controls and execute API calls without valid credentials. When chained with other vulnerabilities (CVE-2025-57789 and CVE-2025-57790), it can lead to remote code execution on affected systems. This poses a significant risk to organizations using Commvault's backup solutions, potentially compromising their data security and business continuity (GBHackers, Fortra).

Commvault has released patches to address this vulnerability. Organizations running affected versions should upgrade to version 11.32.102 (for 11.32.x installations) or version 11.36.60 (for 11.36.x installations). It's worth noting that Commvault SaaS solutions are not affected by this vulnerability and require no customer action (Commvault Advisory, Fortra).