CVE-2025-57788

MEDIUM EXPLOITED NUCLEI

Commvault - Unauthenticated API Access

Title source: llm

Description

A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk.

Nuclei Templates (1)

Commvault Unauthenticated Password Disclosure (WT-2025-0047)

MEDIUMVERIFIEDby DhiyaneshDK,iamnoooob,pdresearch,watchtowr

Shodan: http.favicon.hash:-542502280

References (2)

[Vendor Advisory] https://documentation.commvault.com/securityadvisories/CV_2025_08_3.html

[Exploit, Third Party Advisory] https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/#wt-2025-0047hardcoded-credentials

Scores

CVSS v3 6.5

EPSS 0.8312

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

VulnCheck KEV 2025-08-23

CWE

CWE-259

Status published

Products (1)

commvault/commvault < 11.36.60

Published Aug 20, 2025

Tracked Since Feb 18, 2026