Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
CommandLine|contains|all:
- 'qlogin'
- '_+_PublicSharingUser_'
# Detects the use of a GUID as the password, which is indicative of an exploit attempt
CommandLine|re: '[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}'
condition: selectionLegitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes.
Tactics
Sub-techniques
Other