CVE-2025-57789

During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-20 04:16

Updated : 2025-09-10 16:15

NVD link : CVE-2025-57789

Mitre link : CVE-2025-57789

CVE.ORG link : CVE-2025-57789

JSON object : View

Products Affected

commvault

commvault

CWE

CWE-257

Storing Passwords in a Recoverable Format

{"id": "CVE-2025-57789", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-20T04:16:03.847", "references": [{"url": "https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html", "tags": ["Vendor Advisory"], "source": "050066fd-a2f9-4f32-ab5d-4c53f48bc333"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "description": [{"lang": "en", "value": "CWE-257"}]}], "descriptions": [{"lang": "en", "value": "During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Commvault antes de la versi\u00f3n 11.36.60. Durante el breve periodo entre la instalaci\u00f3n y el primer inicio de sesi\u00f3n del administrador, atacantes remotos podr\u00edan explotar las credenciales predeterminadas para obtener el control administrativo. Esto se limita a la fase de configuraci\u00f3n, antes de configurar cualquier tarea."}], "lastModified": "2025-09-10T16:15:40.353", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7ABD6584-4B5A-49F4-B2FD-B53B4ECAF0C5", "versionEndExcluding": "11.36.60"}], "operator": "OR"}]}], "sourceIdentifier": "050066fd-a2f9-4f32-ab5d-4c53f48bc333"}