Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)

calendar Oct 20, 2025 · attack.persistence attack.t1505.003 detection.emerging-threats cve.2025-57790  ·
Share on: linkedin copy

Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop. This is a post-authentication step corresponding to CVE-2025-57790.

Sigma rule (View on GitHub)

 1title: Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
 2id: bd3b3fff-a018-4994-9876-68af5809160f
 3status: experimental
 4description: |
 5    Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
 6    This is a post-authentication step corresponding to CVE-2025-57790.    
 7references:
 8    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
 9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-10-20
11tags:
12    - attack.persistence
13    - attack.t1505.003
14    - detection.emerging-threats
15    - cve.2025-57790
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        # qoperation execute -af F:\Program Files\Commvault\ContentStore\Reports\MetricsUpload\Upload\ABC1234\rekt.xml -file F:\Program Files\Commvault\ContentStore\Apache\webapps\ROOT\wT-poc.jsp
22        CommandLine|contains|all:
23            - 'qoperation'
24            - 'exec'
25            - ' -af '
26            - '.xml '
27            - '\Apache\webapps\ROOT\'
28            - '.jsp'
29    condition: selection
30falsepositives:
31    - Unknown
32level: high

References

Related rules

to-top