Commvault has released security updates addressing four newly discovered vulnerabilities in its data protection platform that could be exploited to achieve remote code execution (RCE) on unpatched systems. The issues affect software versions prior to 11.36.60 and were reported by researchers at watchTowr Labs in April 2025. The most severe, CVE-2025-57790 (CVSS 8.7), allows remote attackers to access the file system via a path traversal flaw, while other bugs enable unauthorized API access, abuse of default credentials during setup, and input manipulation leading to session hijacking.
The flaws are especially dangerous when chained. One exploit path combines CVE-2025-57791 and the path traversal flaw to compromise systems, while another links CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790 to achieve pre-authenticated RCE—provided the built-in admin password hasn’t been changed since installation. These issues do not affect Commvault’s SaaS platform, but on-premise deployments are vulnerable unless updated to versions 11.32.102 or 11.36.60.
The timing and nature of these flaws raise red flags for the healthcare sector, a key market for Commvault. The company promotes its platform as purpose-built for data-driven care, boasting features like snapshot backup management, cloud-ready clinical data handling, and silo-breaking data accessibility to support personalized medicine and advanced analytics. But as healthcare organizations adopt such platforms for their resilience and interoperability, any overlooked misconfiguration or delayed patch becomes a major risk vector.
Compounding the concern is Commvault’s recent history: a separate CVE-2025-34028 (CVSS 10.0) flaw disclosed just months earlier was later confirmed by CISA as actively exploited in the wild. The new vulnerabilities further underscore the importance of treating backup infrastructure not as passive protection—but as critical, privileged systems that must be vigilantly secured.
For healthcare organizations relying on Commvault to safeguard sensitive clinical data and maintain uptime in care delivery, these vulnerabilities should serve as a wake-up call. Ensure your team has applied the latest patches, changed default credentials post-installation, and conducted a full review of access controls around backup infrastructure. While Commvault markets itself as a robust platform for modern, data-driven healthcare, it’s up to your security program to align those capabilities with operational discipline. Treat your backup systems as Tier 1 assets—and protect them accordingly.
