{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-57789", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2025-08-19T18:25:57.338Z", "datePublished": "2025-08-20T03:22:08.764Z", "dateUpdated": "2025-09-10T15:54:49.968Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CommCell", "vendor": "Commvault", "versions": [{"lessThanOrEqual": "11.32.101", "status": "affected", "version": "11.32.0", "versionType": "semver"}, {"lessThanOrEqual": "11.36.59", "status": "affected", "version": "11.36.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured."}], "metrics": [{"cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-257", "description": "CWE-257: Storing Passwords in a Recoverable Format", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "shortName": "Commvault", "dateUpdated": "2025-09-10T15:54:49.968Z"}, "references": [{"url": "https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html"}], "title": "Vulnerability in Initial Administrator Login Process", "credits": [{"lang": "en", "value": "Sonny and Piotr Bazydlo (@chudyPB) of watchTowr"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-57789"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T03:55:09.241Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-57789", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-20T13:31:09.759896Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T13:31:13.038Z"}}], "cna": {"title": "Vulnerability in Initial Administrator Login Process", "credits": [{"lang": "en", "value": "Sonny and Piotr Bazydlo (@chudyPB) of watchTowr"}], "metrics": [{"cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}}], "affected": [{"vendor": "Commvault", "product": "CommCell", "versions": [{"status": "affected", "version": "11.32.0", "versionType": "semver", "lessThanOrEqual": "11.32.101"}, {"status": "affected", "version": "11.36.0", "versionType": "semver", "lessThanOrEqual": "11.36.59"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html"}], "descriptions": [{"lang": "en", "value": "During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-257", "description": "CWE-257: Storing Passwords in a Recoverable Format"}]}], "providerMetadata": {"orgId": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "shortName": "Commvault", "dateUpdated": "2025-09-10T15:54:49.968Z"}}}, "cveMetadata": {"cveId": "CVE-2025-57789", "state": "PUBLISHED", "dateUpdated": "2025-09-10T15:54:49.968Z", "dateReserved": "2025-08-19T18:25:57.338Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-08-20T03:22:08.764Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*", "matchCriteriaId": "7ABD6584-4B5A-49F4-B2FD-B53B4ECAF0C5", "versionEndExcluding": "11.36.60", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Commvault antes de la versi\u00f3n 11.36.60. Durante el breve periodo entre la instalaci\u00f3n y el primer inicio de sesi\u00f3n del administrador, atacantes remotos podr\u00edan explotar las credenciales predeterminadas para obtener el control administrativo. Esto se limita a la fase de configuraci\u00f3n, antes de configurar cualquier tarea."}], "id": "CVE-2025-57789", "lastModified": "2025-09-10T16:15:40.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "type": "Secondary"}]}, "published": "2025-08-20T04:16:03.847", "references": [{"source": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "tags": ["Vendor Advisory"], "url": "https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html"}], "sourceIdentifier": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-257"}], "source": "050066fd-a2f9-4f32-ab5d-4c53f48bc333", "type": "Secondary"}]}

{}