CVE-2025-57790 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 51%

Vendor	Product	Version
commvault	commvault	𝑥 < 11.36.60

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-36 - Absolute Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Vulnerability Media Exposure

[GERMAN] Commvault: Hochriskante Lücke ermöglicht Einschleusen von Schadcode
In der Backup-Software Commvault können Angreifer Sicherheitslücken missbrauchen, um etwa Schadcode einzuschleusen. Updates stehen bereit.
Published: 2025-08-20T08:39:00+00:00
[GERMAN] Commvault Backup & Recovery: Mehrere Schwachstellen
Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Commvault Backup & Recovery ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, beliebigen Code auszuführen und Sicherheitsmaßnahmen zu umgehen.
Published: 2025-08-19T22:00:00+00:00
[ENGLISH] Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks
Commvault has released updates to address four security gaps that could be exploited to achieve remote code execution on susceptible instances. The list of vulnerabilities, identified in Commvault versions before 11.36.60, is as follows - CVE-2025-57788 (CVSS score: 6.9) - A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user
Published: 2025-08-21T22:08:00+05:30

References

https://documentation.commvault.com/securityadvisories/CV_2025_08_2.html