CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-13976 – Commvault 11.20.0 - 11.36.0 Windows Maintenance Installer DLL Injection
https://notcve.org/view.php?id=CVE-2024-13976
25 Jul 2025 — A DLL injection vulnerability exists in Commvault for Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. During the installation of maintenance updates, an attacker with local access may exploit uncontrolled search path or DLL loading behavior to execute arbitrary code with elevated privileges. The vulnerability has been resolved in versions 11.20.202, 11.28.124, 11.32.65, 11.34.37, and 11.36.15. Existe una vulnerabilidad de inyección de DLL en Commvault para Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0... • https://documentation.commvault.com/securityadvisories/CV_2024_09_2.html • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-13975 – Commvault 11.20.0 - 11.36.0 Windows Access Nodes Compromise via Local File Server Agent Abuse
https://notcve.org/view.php?id=CVE-2024-13975
25 Jul 2025 — A local privilege escalation vulnerability exists in Commvault for Windows versions 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. In affected configurations, a local attacker who owns a client system with the file server agent installed can compromise any assigned Windows access nodes. This may allow unauthorized access or lateral movement within the backup infrastructure. The issue has been resolved in versions 11.32.60, 11.34.34, and 11.36.8. Existe una vulnerabilidad de escalada de privilegios local e... • https://documentation.commvault.com/securityadvisories/CV_2024_09_1.html • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-34136 – Commvault CommServe Web Server Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2025-34136
25 Jul 2025 — An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected. Existe una vulnerabilidad de inyección SQL en el componente de servidor web de Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51 y 11.38.... • https://documentation.commvault.com/securityadvisories/CV_2025_04_2.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 83%CPEs: 6EXPL: 2CVE-2017-18044 – Commvault Communications Service (cvd) Command Injection
https://notcve.org/view.php?id=CVE-2017-18044
19 Jan 2018 — A Command Injection issue was discovered in ContentStore/Base/CVDataPipe.dll in Commvault before v11 SP6. A certain message parsing function inside the Commvault service does not properly validate the input of an incoming string before passing it to CreateProcess. As a result, a specially crafted message can inject commands that will be executed on the target operating system. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the ... • https://github.com/securifera/CVE-2017-18044-Exploit • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •