Rescana Security Advisory Report: Critical Vulnerability in Commvault's Webserver Software

In a recent discovery, a critical vulnerability identified as CV_2025_03_1 has been found in Commvault's webserver software. This vulnerability presents significant cybersecurity risks, affecting both Linux and Windows platforms running Commvault versions from 11.20 to 11.36. This flaw enables attackers to gain unauthorized access and potentially seize full control over affected systems by exploiting the webserver module. It's crucial for organizations, especially those in sectors like finance, healthcare, and government across various countries, to address this vulnerability promptly.

Executive Summary

The CV_2025_03_1 vulnerability is a critical security flaw in Commvault's webserver software that can lead to unauthorized access and control over affected systems. It affects multiple versions of Commvault's software on both Linux and Windows platforms. The vulnerability allows attackers to deploy malicious webshells, potentially leading to data breaches and unauthorized access to sensitive information. Although there are no confirmed reports of exploitation in the wild or specific APT group involvement, it is imperative that organizations address this issue immediately by applying security patches and implementing robust cybersecurity measures.

Technical Information

The vulnerability CV_2025_03_1 is specifically associated with the webserver module of Commvault software, impacting versions 11.20 through 11.36. The flaw resides in the way the webserver module handles certain requests, allowing attackers to exploit this weakness by deploying malicious webshells. Webshells are scripts that provide unauthorized access to critical systems, allowing attackers to execute arbitrary commands, access sensitive data, and potentially disrupt operations. The affected software versions include Commvault 11.36.0 to 11.36.45, 11.32.0 to 11.32.87, 11.28.0 to 11.28.140, and 11.20.0 to 11.20.216. Commvault has addressed this vulnerability by releasing patches in versions 11.36.46, 11.32.88, 11.28.141, and 11.20.217.

Exploitation in the Wild

Currently, there are no confirmed reports of CV_2025_03_1 being exploited in the wild. Neither are there any indications of specific Advanced Persistent Threat (APT) group involvement. No proof of concept (POC) or indicators of compromise (IOCs) have been identified. However, the potential for exploitation remains significant due to the critical nature of the vulnerability.

APT Groups using this vulnerability

As of now, there are no identified APT groups known to be exploiting this vulnerability. However, given the high stakes associated with this vulnerability, it remains critical for organizations to stay vigilant and monitor for any updates regarding potential exploitation by threat actors.

Affected Product Versions

The following Commvault software versions are affected by the CV_2025_03_1 vulnerability: Commvault (Linux, Windows) versions 11.36.0 to 11.36.45, Commvault (Linux, Windows) versions 11.32.0 to 11.32.87, Commvault (Linux, Windows) versions 11.28.0 to 11.28.140, and Commvault (Linux, Windows) versions 11.20.0 to 11.20.216.

Workaround and Mitigation

To mitigate the risk posed by the CV_2025_03_1 vulnerability, organizations are advised to apply the following measures immediately: 1. Update all systems running Commvault webserver software to the latest patched versions: 11.36.46, 11.32.88, 11.28.141, and 11.20.217. 2. Conduct regular vulnerability assessments to identify and address potential security flaws. 3. Implement continuous monitoring solutions to detect unauthorized access and unusual activity within the network. 4. Educate and train IT staff on the importance of applying security patches and maintaining a strong security posture.

References

For more detailed information on the CV_2025_03_1 vulnerability and related security advisories, please refer to the following resources: - Cyber Express Article on Commvault Vulnerability: https://thecyberexpress.com/commvault-webserver-vulnerability/ - Official Commvault Security Advisory Page: https://documentation.commvault.com/securityadvisories/

Rescana is here for you

At Rescana, we are dedicated to helping our customers navigate the complex landscape of cybersecurity threats through our Third Party Risk Management (TPRM) platform. We provide comprehensive solutions to identify, assess, and mitigate risks associated with third-party vendors. If you have any questions or need further assistance regarding this report or other cybersecurity issues, please reach out to our team at ops@rescana.com. We are here to support you in safeguarding your organization against vulnerabilities and ensuring robust security practices.