Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)

Rule Info

Name
Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
Reference
https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
Date
2025-10-20 00:00:00
Modified
None
Id
917789e1-2c1f-4bf5-8c91-6f71a017f469
Tags
attack.privilege-escalation attack.persistence attack.defense-evasion attack.initial-access attack.t1078.001 detection.emerging-threats cve.2025-57788
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=917789e1-2c1f-4bf5-8c91-6f71a017f469

Rule History

Author
Title
Date
Commit
phantinuss
chore: ci: bump validator version (#5722)
2025-10-23
c8075cab6
Swachchhanda Shrawan Poudel
Merge PR #5620 from @swachchhanda000 - Commonvault vulnerabilities
2025-10-20
a532ddb63
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022