Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the -localadmin parameter via the password field to bypass authentication and gain a privileged token.
Sigma rule (View on GitHub)
1title: Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
2id: ff0225a0-1d9a-4bae-ab26-6038b18bb6d4
3status: experimental
4description: |
5 Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
6 An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
7references:
8 - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
9author: X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-10-20
11tags:
12 - attack.initial-access
13 - attack.t1190
14 - detection.emerging-threats
15 - cve.2025-57791
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'qlogin'
23 - ' -cs '
24 - ' -localadmin'
25 - ' -clp '
26 - '_localadmin__'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
We’re back, and we’ve finished telling everyone that our name was on the back of Phrack!!!!1111 Whatever, nerds. Today, we're back to scheduled content. Like our friendly neighbourhood ransomware gangs and APT groups, we've continued to spend irrational amounts of time looking at critical enterprise-grade solutions -
Read More
Related rules
- Potential Exploitation of GoAnywhere MFT Vulnerability
- Potential SAP NetWeaver Webshell Creation
- Potential SAP NetWeaver Webshell Creation - Linux
- Suspicious Child Process of SAP NetWeaver
- Suspicious Child Process of SAP NetWeaver - Linux