Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)

Rule Info

Name
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Author
X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791. An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
Reference
https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
Date
2025-10-20 00:00:00
Modified
None
Id
ff0225a0-1d9a-4bae-ab26-6038b18bb6d4
Tags
attack.initial-access attack.t1190 detection.emerging-threats cve.2025-57791
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=ff0225a0-1d9a-4bae-ab26-6038b18bb6d4

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5620 from @swachchhanda000 - Commonvault vulnerabilities
2025-10-20
a532ddb63
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022