Overview

• Four CVEs found by watchTowr can be chained into two unauthenticated RCE paths, with one chain working against any unpatched instance.
• Commvault’s fixes update mainline versions 11.32.0–11.32.101 and 11.36.0–11.36.59 to 11.32.102 and 11.36.60 on Linux and Windows.
• Researchers describe an argument‑injection token bypass (CVE-2025-57791) and a path traversal enabling webshell write (CVE-2025-57790) as the broadly applicable chain.
• The second chain relies on an info leak (CVE-2025-57788) and decryption of a built‑in admin password via a hard‑coded key (CVE-2025-57789), which requires specific installation‑era conditions.
• Commvault says its SaaS offering is not affected, and admins are urged to patch promptly, reduce exposure, and monitor for unusual API activity and unexpected files in web directories.