Detections
Analytics

Commvault 11.32.x < 11.32.102 / 11.36.x < 11.36.60 Multiple Vulnerabilities (CV_2025_08_1-4)

high Nessus Plugin ID 253649

Synopsis

The instance of Commvault installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Commvault installed on the remote host is 11.32.x prior to 11.32.102 or 11.36.x prior to 11.36.60. It is, therefore, affected by multiple vulnerabilities as disclosed in Commvault advisories CV_2025_08_1, CV_2025_08_2, CV_2025_08_3 and CV_2025_08_4:

 - A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Successful exploitation results in a valid user session for a low privilege role. (CVE-2025-57791)

 - A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. The vulnerability may lead to remote code execution.
 (CVE-2025-57790)

 - During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured. (CVE-2025-57789)

 - A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk. (CVE-2025-57788)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to version 11.32.102, 11.36.60 or later.

See Also

http://www.nessus.org/u?0f451838

http://www.nessus.org/u?e8701f3a

http://www.nessus.org/u?305e0570

http://www.nessus.org/u?9f2e37bc

Plugin Details

Severity: High

ID: 253649

File Name: commvault_CV_2025_08_1-4.nasl

Version: 1.1

Type: local

Agent: windows

Family: Windows

Published: 8/22/2025

Updated: 8/22/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/a:commvault:commvault

Required KB Items: installed_sw/Commvault

Patch Publication Date: 8/19/2025

Vulnerability Publication Date: 8/19/2025

Reference Information

CVE: CVE-2025-57788, CVE-2025-57789, CVE-2025-57790, CVE-2025-57791

IAVA: 2025-A-0625