logo

Security Advisories

Documentation Cloud Services Solutions

CV_2025_03_1: Critical Webserver Vulnerability HIGH

  • Advisory ID: CV_2025_03_1
  • Severity: HIGH
  • Issued: 2025-02-24
  • Updated: 2025-03-13

A vulnerability has been identified and remediated in all supported versions of the Commvault software. Webservers can be compromised through bad actors creating and executing webshells. 

Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment. Unauthenticated access is not exploitable. For software customers, this means your environment must be: (i) accessible via the internet, (ii) compromised through an unrelated avenue, and (iii) accessed leveraging legitimate user credentials.

Impacted Products

Product Platforms Affected Versions Resolved Version Status
Commvault Linux, Windows 11.36.0 - 11.36.45 11.36.46 Resolved
Commvault Linux, Windows 11.32.0 - 11.32.88 11.32.89 Resolved
Commvault Linux, Windows 11.28.0 - 11.28.140 11.28.141 Resolved
Commvault Linux, Windows 11.20.0 - 11.20.216 11.20.217 Resolved

Resolution

To prevent this issue, immediately install the resolved maintenance release for the affected version on the CommServe, Web Servers, and Command Center. This vulnerability does not impact client computers.

For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.

UPDATE (March 7th, 2025) – We have implemented additional fixes to enhance the security of the webserver module.

UPDATE (March 10th, 2025) Version 11.32.88 had issues with loading certain reports correctly. These issues have been resolved in version 11.32.89.

Refer to the table above for details on the affected versions and updates.

Documentation

https://documentation.commvault.com