module

Commvault Command-Line Argument Injection to Traversal Remote Code Execution

Disclosed	Created
Aug 19, 2025	Sep 17, 2025

Disclosed

Aug 19, 2025

Created

Sep 17, 2025

Description

This module exploits an unauthenticated remote code execution exploit chain for Commvault,
tracked as CVE-2025-57790 and CVE-2025-57791. A command-line injection permits unauthenticated
access to the 'localadmin' account, which then facilitates code execution via expression
language injection. CVE-2025-57788 is also leveraged to leak the target host name, which is
necessary knowledge to exploit the remote code execution chain. This module executes in
the context of 'NETWORK SERVICE' on Windows.

Authors

Sonny Macdonald
Piotr Bazydlo
remmons-r7

Platform

Windows

Architectures

cmd

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/windows/http/commvault_rce_cve_2025_57790_cve_2025_57791
    msf exploit(commvault_rce_cve_2025_57790_cve_2025_57791) > show targets
        ...targets...
    msf exploit(commvault_rce_cve_2025_57790_cve_2025_57791) > set TARGET < target-id >
    msf exploit(commvault_rce_cve_2025_57790_cve_2025_57791) > show options
        ...show and set options...
    msf exploit(commvault_rce_cve_2025_57790_cve_2025_57791) > exploit

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report