SB2026030325 - Weak password policy in Commvault
Published: March 3, 2026
Security Bulletin ID
SB2026030325
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Weak password requirements (CVE-ID: N/A)
The vulnerability allows an attacker to perform brute-force attack and guess the OTP token.
The vulnerability exists due to the application does not invalidate previously generated One-Time Passwords (OTPs) codes during authentication. A remote attacker can generate multiple OTP codes and brute-force them, increasing potential success rates.
Remediation
Install update from vendor's website.