On August 19th, Commvault published advisory CV_2025_08_2 for a newly-discovered path traversal flaw in the Web Server component that allows remote attackers to perform unauthorized file system access and may lead to RCE.
The vulnerability is being tracked as CVE-2025-57790, and more details are expected to come out in the coming days as Commvault and researchers publish technical specifics and IOCs.
In the meantime, organizations are advised upgrade to 11.36.60/11.32.102 and restrict external access to the Web Server.
Affected versions
- Commvault Web Server (Linux/Windows)
- 11.36.0–11.36.59 → update to 11.36.60+
- 11.32.0–11.32.101 → update to 11.32.102+
- Commvault SaaS: not impacted.
Severity: CVSS 8.7 (High)
Why it matters
Commvault web-tier issues have been repeatedly targeted this year (e.g., CVE-2025-3928 webshell campaigns), so fresh path-traversal-to-RCE in the same tier deserves high urgency.
The fix lands in 11.36.60 alongside other PSIRT hardening for API/auth paths; environments lagging below this version are exposed.
Mitigation actions
- Patch now (Web Server first).
Move 11.36.x → ≥ 11.36.60 or 11.32.x → ≥ 11.32.102 across any Web Server/Command Center nodes. Validate the active version from Command Center → Manage → Servers filtered by Web Server role that all show the resolved maintenance release.
- Reduce exposure.
Restrict Web Server/Command Center to admin networks/VPN, enforce MFA on admin SSO, and avoid direct internet exposure where operationally possible. (Web-tier has been attacker focus in 2025.)
- Hardening checks (post-patch).
Ensure you’re on builds that include API/auth PSIRT fixes in 11.36.60 and later.
Detection & hunting guidance (generic for path traversal)
Until endpoint specifics are public, hunt for common traversal/RCE footprints on Commvault Web Server hosts:
- Web access logs: requests containing traversal tokens (../, ..\\, URL-encoded %2e%2e%2f, %252e%252e%252f, mixed UTF-8/UTF-16 encodings) hitting upload/install/config or archive extraction endpoints. (Compare volume and referrers against baseline.)
- File integrity: recent creation/modification of web-executable artifacts (e.g., .jsp under Commvault web roots / temp extract paths); unexpected files outside intended directories (a hallmark of traversal abuse).
- Process/child chains: unusual java/application server child processes, or command shells spawned by the web tier.
- Outbound beacons: new external egress from Web Server hosts (webshell C2).
Review from July 1, 2025 → present if you were on impacted builds and externally exposed.
(These behaviors mirror how earlier Commvault web bugs were exploited to drop webshells.)
Stay Safe. Stay Secure.
OP Innovate Research Team
