Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)

Rule Info

Name
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop. This is a post-authentication step corresponding to CVE-2025-57790.
Reference
https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
Date
2025-10-20 00:00:00
Modified
None
Id
bd3b3fff-a018-4994-9876-68af5809160f
Tags
attack.persistence attack.t1505.003 detection.emerging-threats cve.2025-57790
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=bd3b3fff-a018-4994-9876-68af5809160f

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5620 from @swachchhanda000 - Commonvault vulnerabilities
2025-10-20
a532ddb63
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022