Emerging Threathighexperimental
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791. An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Oct 20ff0225a0-1d9a-4bae-ab26-6038b18bb6d42025
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
CommandLine|contains|all:
- 'qlogin'
- ' -cs '
- ' -localadmin'
- ' -clp '
- '_localadmin__'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Other
detection.emerging-threatscve.2025-57791
Rule Metadata
Rule ID
ff0225a0-1d9a-4bae-ab26-6038b18bb6d4
Status
experimental
Level
high
Type
Emerging Threat
Created
Mon Oct 20
Path
rules-emerging-threats/2025/Exploits/CVE-2025-57791/proc_creation_win_exploit_cve_2025_57791.yml
Raw Tags
attack.initial-accessattack.t1190detection.emerging-threatscve.2025-57791