CVE-2025-57790: 
Commvault vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-57790) was discovered in Commvault software versions before 11.36.60. The vulnerability was identified and reported by watchTowr Labs researchers in April 2025, and patches were released in August 2025. This path traversal vulnerability allows remote attackers to perform unauthorized file system access, potentially leading to remote code execution (Commvault Advisory, Hacker News).

The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-36 (Absolute Path Traversal) and affects Commvault versions 11.32.0 through 11.32.101 and 11.36.0 through 11.36.59 on both Linux and Windows platforms (NVD).

The vulnerability enables remote attackers to perform unauthorized file system access through a path traversal issue, which can ultimately lead to remote code execution on affected systems. This vulnerability can be combined with other flaws to create pre-authentication exploit chains, significantly increasing its potential impact (Hacker News).

Commvault has released patches to address this vulnerability. Users running affected versions should upgrade to version 11.32.102 (for 11.32.x installations) or version 11.36.60 (for 11.36.x installations). The Commvault SaaS solution is not affected by this vulnerability and requires no customer action (Commvault Advisory).