Commvault has patched four vulnerabilities in its on-premises Backup & Recovery Suite that could allow unauthenticated attackers to seize control of affected deployments, the company said on Wednesday. Security researchers from watchTowr Labs published technical details and demonstrated how the flaws could be chained to achieve remote code execution (RCE).
According to the researchers, the flaws affect the core management plane components – including the Web Server, Command Center, and in some cases the CommServe, which is the central brain of a Commvault deployment. The four vulnerabilities are identified in Commvault advisories as CVE-2025-57788, CVE-2025-57789, CVE-2025-57791, and CVE-2025-57790.
Two remote-code-execution (RCE) chains have been demonstrated. The first chain works only if the built-in administrator password has not been changed since installation and relies on exploiting CVE-2025-57788 (authentication bypass), CVE-2025-57789 (privilege escalation), and CVE-2025-57790 (RCE). The second chain appears to work against any unpatched on-premises instance and uses CVE-2025-57791 to bypass authentication and CVE-2025-57790 for RCE via a webshell injection.
Commvault notes that the vulnerabilities affect main branch versions 11.32.0–11.32.101 and 11.36.0–11.36.59, which have been fixed in versions 11.32.102 and 11.36.60. The company also states that the on-prem SaaS solution is not affected by these flaws.
WatchTowr researchers also indicated that versions 11.38.20–11.38.25 of Commvault’s Innovation release are affected, with patches available in 11.38.32. This emphasizes the need for administrators to apply updates where feasible and to limit exposure of vulnerable deployments.
Cybersecurity experts note that backup systems are high-value targets for threat actors, who aim to destroy recovery points or exfiltrate data. As a precaution, admins should monitor for unusual API activity and unexpected files appearing under web directories, and limit internet-facing exposure where possible to reduce risk while updates are applied.