cbcvebase.
CVE-2025-57788
published 2025-08-20

CVE-2025-57788: A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the…

PriorityP182medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.72%
84.2th percentile
A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk.

Affected

3 ranges
VendorProductVersion rangeFixed in
commvaultcommcell11.32.0 – 11.32.101
commvaultcommcell11.36.0 – 11.36.59
commvaultcommvault< 11.36.6011.36.60

Detection & IOCsextracted from sources · hover to see the quote

url/commandcenter/publicLink.do
url/commandcenter/api/Login
url/commandcenter/RestServlet/Database/GetUmUserById/1
other_+_PublicSharingUser_
otherhttp.favicon.hash:-542502280
  • Detect unauthenticated GET requests to /commandcenter/publicLink.do — this is the first step of the exploit chain used to extract the GUID (cv-gorkha value) needed for the PublicSharingUser login.
  • Detect POST requests to /commandcenter/api/Login with the username '_+_PublicSharingUser_' — this is the unauthenticated login step using the base64-encoded GUID as the password.
  • Detect GET requests to /commandcenter/RestServlet/Database/GetUmUserById/1 with an Authtoken header — this is the credential-harvesting step that retrieves login, email, and password fields.
  • Alert on HTTP responses containing all of 'login', 'email', 'password', and 'datePasswordSet' from the /commandcenter/RestServlet/ path — this indicates successful credential disclosure.
  • CVE-2025-57788 is leveraged in the Metasploit RCE chain (CVE-2025-57790/57791) to leak the target hostname; correlate exploitation of this CVE with subsequent RCE attempts.
  • Use the Shodan favicon hash -542502280 to identify exposed Commvault Command Center instances on the internet for proactive asset discovery.
  • ·RBAC is a partial mitigation only — it limits exposure but does not prevent unauthenticated API access via the PublicSharingUser mechanism.
  • ·The vulnerability affects Commvault versions before 11.36.60; upgrade to 11.36.60 or later to remediate.
  • ·The exploit chain requires exactly 3 sequential HTTP requests (publicLink.do → Login → GetUmUserById); detection logic should account for this multi-step flow.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.