Authenticated webshell upload and execution in Commvault Web Server

Successful exploitation allows compromise of the Commvault Web Server through deployment and execution of a webshell. This can provide persistent remote access in the security context of the web server, enable arbitrary command execution, facilitate credential theft and follow-on access to connected environments, and support lateral movement or data access. Reporting also associates exploitation with theft of credentials and downstream access to victims' Microsoft 365 environments. CISA added the vulnerability to the KEV catalog on 2025-04-28, indicating in-the-wild exploitation.

If immediate patching is not possible, reduce exposure of Commvault Web Server by restricting network access to trusted administrative sources, disabling or isolating internet exposure, enforcing least-privilege access for authenticated users, and closely monitoring for webshell creation and execution. Inspect web content directories and server logs for unauthorized file writes and execution, monitor for abnormal authentication and post-authentication activity, rotate credentials potentially accessible to the Commvault environment, and review connected Microsoft 365/Azure/Entra ID integrations for abuse. These are temporary risk-reduction measures and not substitutes for patching.

Upgrade Commvault Web Server to a fixed release: 11.36.46, 11.32.89, 11.28.141, or 11.20.217, as applicable to the deployed branch, on both Windows and Linux platforms. Apply vendor guidance associated with the Commvault advisory and validate that all internet-exposed and externally reachable web servers are updated. After patching, review systems for indicators of compromise, including unexpected webshell files, anomalous child processes from the web server, unauthorized accounts, and suspicious access to stored credentials or connected cloud services.