CVE-2025-57788 is an authentication-bypass vulnerability affecting on-prem Commvault Web Server / Command Center components (Commvault versions prior to 11.36.60 and several 11.32.x builds). The bug allows unauthenticated actors to execute certain API calls (via the product’s login / API proxy mechanism) without valid credentials. Commvault has published a maintenance release to fix the issue and rates the vulnerability Medium (CVSS v3.1 base score ~6.5; vendor CVSS v4.0 6.9).
Why this matters
- Commvault is an enterprise backup & data-protection platform used by large organizations and service providers; unauthenticated API access here can allow attackers to enumerate, manipulate, or chain into more serious impacts (the research community has shown pre-auth chains leading to remote code execution when combined with other flaws). watchTowr Labs+1
- The attack surface is large: Commvault’s Java front end proxies requests to a backend .NET API on
localhost:81, exposing thousands of endpoints internally; if a request can be crafted or a login flow bypassed, large internal functionality becomes reachable from the outside.
Affected software
Commvault lists the impacted versions and the resolved releases in its advisory:
- Affected: Commvault 11.32.0 → 11.32.101 and 11.36.0 → 11.36.59 (on Linux & Windows).
- Resolved: 11.32.102 and 11.36.60 (or later).
The vulnerability stems from a weakness in a known login mechanism used by Commvault’s Command Center/APIs. An attacker can cause API calls to be accepted without valid user credentials. RBAC (Role Based Access Control) reduces exposure but does not eliminate risk because unauthenticated calls can still reach sensitive API endpoints. The NVD entry and vendor advisory summarize this as an authentication bypass enabling API execution.
Independent researchers who analyzed the product architecture describe how /commandcenter/RestServlet is proxied by the Java front end to an internal .NET backend (localhost:81) that implements thousands of endpoints; many of the Commvault bugs exploited by researchers use this proxying and specific API endpoint semantics to amplify impact (for example to obtain tokens, leak credentials, or write files). The publicly available research details pre-auth chains that combine multiple weaknesses to reach RCE — highlighting that even “only API calls” being made unauthenticated can be a stepping stone to full compromise.
how to detect whether an instance is likely vulnerable:
Confirm the software version
- Log into the Commvault Command Center (or query the server you manage) and check the installed Web Server/Command Center version. Commvault’s advisory tells you how to verify updates in the Command Center under
Manage > Servers(filter by Web Server role). If the version is in the affected ranges (see Affected software), treat the instance as potentially vulnerable.
Check for the proxyable endpoint (harmless echo)
- Commvault exposes a harmless test/echo endpoint that demonstrates the Java→.NET proxying behavior. A basic GET request to this endpoint returns the text you send; this is safe to use to confirm the proxy path exists.
https://<comvault-site>.org/commandcenter/RestServlet/Test/Echo/hello_detector
A functioning proxy will respond with a 200 and the string sent back. If you get the expected echo response, the Java front end is proxying to the internal API — which is necessary for the classes of issues described in the public research, although it does not prove the authentication bypass itself.
Verify that the product is managed and patched
- If the server responds to the echo test and the version is older than the resolved versions, flag the system for immediate remediation. If running SaaS Commvault, the vendor states the vulnerability does not apply.
Log analysis
- Review Commvault web server and proxy logs for suspicious/unauthenticated calls to
/commandcenter/RestServlet/*or unexpectedJSESSIONIDissuance patterns. Unusual sequences where internal API routes are exercised without corresponding authenticated sessions are indicators for follow-up.
References
- NVD — CVE-2025-57788 details (description, CVSS vectors, change history). nvd.nist.gov
- Commvault Security Advisory — CV_2025_08_3: Unauthorized API Access Risk (affected versions, resolved versions, mitigation & verification steps). documentation.commvault.com
- watchTowr technical analysis — “Guess Who Would Be Stupid Enough To Rob The Same Vault Twice? Pre-Auth RCE Chains in Commvault” (deep technical writeup on architecture, proxying, and multi-bug chains). This provides excellent context for defenders. watchTowr Labs
