CVE-2017-18044

CRITICAL

Commvault < 11.0 - Unauthenticated OS Command Injection via CVDataPipe.dll Message Parsing

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-18044. PoCs published by securifera, b0yd, including Metasploit module exploits/windows/misc/commvault_cmd_exec.

AI-analyzed exploit summary This is a functional proof-of-concept exploit for CVE-2017-18044, a command injection vulnerability in Commvault v11 SP5 and older. It crafts a malicious network packet to execute arbitrary commands on the target system via a TCP connection to port 8400.

Description

A Command Injection issue was discovered in ContentStore/Base/CVDataPipe.dll in Commvault before v11 SP6. A certain message parsing function inside the Commvault service does not properly validate the input of an incoming string before passing it to CreateProcess. As a result, a specially crafted message can inject commands that will be executed on the target operating system. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the cvd daemon. This is a different vulnerability than CVE-2017-3195.

Exploits (2)

nomisec WORKING POC 4 stars

by securifera · poc

https://github.com/securifera/CVE-2017-18044-Exploit

View Code ZIP pw:eip

This is a functional proof-of-concept exploit for CVE-2017-18044, a command injection vulnerability in Commvault v11 SP5 and older. It crafts a malicious network packet to execute arbitrary commands on the target system via a TCP connection to port 8400.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Commvault v11 SP5 and older

No auth needed

Prerequisites: Network access to the target system on port 8400 · Target system running vulnerable Commvault version

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

by b0yd · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/commvault_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Commvault Communications Service (cvd.exe) by sending a crafted packet to TCP port 8400, allowing arbitrary command execution as SYSTEM. The exploit leverages PowerShell payload encoding and a malformed message structure to bypass authentication.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Commvault Communications Service v11 SP5 and earlier

No auth needed

Prerequisites: Network access to TCP port 8400 · Commvault Communications Service running on target

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://github.com/rapid7/metasploit-framework/pull/9389

Exploit, Third Party Advisory x_refsource_misc

https://github.com/rapid7/metasploit-framework/pull/9340

Third Party Advisory x_refsource_misc

https://www.securifera.com/advisories/sec-2017-0001/

Scores

CVSS v3 9.8

EPSS 0.6975

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

commvault/commvault 11.0 sp1 (5 CPE variants)

commvault/commvault < 11.0

Published Jan 19, 2018

Tracked Since Feb 18, 2026