Primary

Context

Commvault Default Credential Vulnerability in Initial Setup Phase Allowing Admin Access

Vulnerability

Patched

A vulnerability exists in Commvault versions 11.32.0 through 11.32.101 and 11.36.0 through 11.36.59. During the initial setup phase, before the first administrator login, remote attackers can exploit default credentials to gain administrative control. This issue is limited to the setup phase, prior to any job configurations.

Impact

Exploitation of this vulnerability allows remote attackers to gain administrative control over the Commvault application.

Remediation

Users should install the maintenance release version 11.32.102 or 11.36.60, depending on their current version. Instructions for verifying if the update is installed are available in the Commvault security advisory.

Added: Aug 20, 2025, 4:20 AM

Updated: Aug 20, 2025, 4:20 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

7.5

exploitability

7.0

remediation

7.7

relevance

0.4

threat

0.1

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

7.5

exploitability

7.0

remediation

7.7

relevance

0.4

threat

0.1

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Commvault Default Credential Vulnerability in Initial Setup Phase Allowing Admin Access

Vulnerability

Impact

Remediation

Affected Products

Commvault

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating