- Advisory ID: CV_2025_03_1
- Severity: HIGH
- Issued: 2025-02-24
- Updated: 2025-03-13
A vulnerability has been identified and remediated in all supported versions of the Commvault software. Webservers can be compromised through bad actors creating and executing webshells.
Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment. Unauthenticated access is not exploitable. For software customers, this means your environment must be: (i) accessible via the internet, (ii) compromised through an unrelated avenue, and (iii) accessed leveraging legitimate user credentials.
Impacted Products
| Product | Platforms | Affected Versions | Resolved Version | Status |
|---|---|---|---|---|
| Commvault | Linux, Windows | 11.36.0 - 11.36.45 | 11.36.46 | Resolved |
| Commvault | Linux, Windows | 11.32.0 - 11.32.88 | 11.32.89 | Resolved |
| Commvault | Linux, Windows | 11.28.0 - 11.28.140 | 11.28.141 | Resolved |
| Commvault | Linux, Windows | 11.20.0 - 11.20.216 | 11.20.217 | Resolved |
Resolution
To prevent this issue, immediately install the resolved maintenance release for the affected version on the CommServe, Web Servers, and Command Center. This vulnerability does not impact client computers.
For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.
UPDATE (March 7th, 2025) – We have implemented additional fixes to enhance the security of the webserver module.
UPDATE (March 10th, 2025) – Version 11.32.88 had issues with loading certain reports correctly. These issues have been resolved in version 11.32.89.
Refer to the table above for details on the affected versions and updates.