Vulnerability in Commvault Commcell

CVE-2025-57789

During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured.

EPSS: 0.065 (91.3th percentile) — read the EPSS interpretation.

Affected products

Commvault Commcell — versions 11.32.0, 11.36.0

Weakness classification (CWE)

CWE-257 — Storing Passwords in a Recoverable Format

References

documentation.commvault.com/securityadvisories/CV_2025_08_4.html