Ethical Hacking News
Commvault has released patches for two pre-auth RCE bug chains in response to high-severity vulnerability disclosures. The fixes address a chain of vulnerabilities that, while individually not extremely concerning, become more dangerous when exploited together.
Commvault has released patches for two pre-auth remote code execution (RCE) bug chains. The first chain involves CVE-2025-57791 (argument injection) and CVE-2025-57790 (path traversal) vulnerabilities, which become more dangerous when chained together. The first vulnerability allows attackers to bypass password authentication for a local admin user with a CVSS score of 6.9 (medium severity). The second vulnerability carries the highest severity score of all four vulnerabilities at 8.7 and is classified as a path traversal flaw, allowing RCE. Another vulnerability in the chain allows attackers to gain admin access and full control of the target system. Commvault has released patches for both vulnerability chains following their disclosure.
Commvault, a leading provider of data protection and management solutions, has released patches for two pre-auth remote code execution (RCE) bug chains following the disclosure of high-severity vulnerabilities by researchers at watchTowr. The disclosures were made public in April 2025, after which Commvault was notified and subsequently released fixes to address the vulnerabilities.
According to the context data provided, the first chain involves two vulnerabilities, CVE-2025-57791 and CVE-2025-57790, which are an argument injection bug in CommServe and a path traversal bug respectively. The severity scores for these flaws are not especially concerning on their own but become more dangerous when chained together.
The first vulnerability, CVE-2025-57791, allows attackers to retrieve a valid user session for a low-privilege role with a CVSS score of 6.9 (medium severity). However, researchers found that by altering fields in the request to the QLogin endpoint, they could bypass the need for a password and generate an API token for the local admin user.
In contrast, the second vulnerability, CVE-2025-57790, carries the highest severity score of all four vulnerabilities at 8.7 and is classified as a path traversal flaw. The researchers found that this bug allowed them to write a JSP webshell directly into the webroot, achieving RCE.
The second chain, which relies on specific but common conditions within a target's environment being met, also exploits the same path traversal bug to ultimately achieve RCE, albeit after exploiting two additional, medium-severity flaws. The first of these vulnerabilities allows unauthenticated users to call APIs to bypass authentication and leak the password of the low-privileged _PublicSharingUser_ account via a returned JSON web token.
Another vulnerability in this chain allows attackers to gain admin access and full control of the target system, bridging the gap between two previously identified vulnerabilities. Researchers found that by using this vulnerability, they could retrieve user details, including encrypted passwords for admin accounts, and then decrypt these using Commvault's code. They used this method against the retrieved admin password to log in as that admin.
The disclosure timeline revealed that watchTowr originally pushed back on one of the vulnerabilities, arguing that it was impractical due to conditions that highly limit exploitability. However, subsequent patches have addressed concerns around the vulnerability's feasibility.
In response to these disclosures and patches, researchers at watchTowr emphasized that many Commvault administrators do not use the built-in admin account, which could leave this attack path viable for longer. They also noted that even with limitations, the first chain of vulnerabilities remains impactful.
Commvault has released patches for both vulnerability chains following their disclosure to ensure users can apply the necessary updates and prevent exploitation of these flaws.
Related Information:
https://www.ethicalhackingnews.com/articles/Commvault-Releases-Patches-for-Two-Pre-Auth-RCE-Bug-Chains-Following-High-Severity-Vulnerability-Disclosures-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/08/20/commvault_bug_chains_patched/
https://nvd.nist.gov/vuln/detail/CVE-2025-57791
https://www.cvedetails.com/cve/CVE-2025-57791/
https://nvd.nist.gov/vuln/detail/CVE-2025-57790
https://www.cvedetails.com/cve/CVE-2025-57790/
https://nvd.nist.gov/vuln/detail/CVE-2025-57792
https://www.cvedetails.com/cve/CVE-2025-57792/
https://nvd.nist.gov/vuln/detail/CVE-2025-57793
https://www.cvedetails.com/cve/CVE-2025-57793/
Published: Wed Aug 20 12:28:13 2025 by llama3.2 3B Q4_K_M
