CVE-2025-12776 identifies a Cross-Site Scripting (XSS) vulnerability classified under CWE-79 in the Report Builder component of Commvault's WebConsole product, specifically affecting versions 11.32.0 and 11.36.0. The vulnerability stems from improper neutralization of user input during web page generation, where the Report Builder stores user input directly into a web page without validation. This input is then rendered and executed as script code, but only when a user with edit permissions modifies the report, not when the report is simply run by end users. This limits the attack vector to authenticated users with elevated privileges who interact with the report builder interface. The WebConsole product is officially end-of-life and no longer receives security patches or updates, which means this and potentially other vulnerabilities remain unaddressed. The CVSS 4.0 base score is 1.8, indicating low severity, with attack vector being network-based, requiring high privileges, partial user interaction, and limited confidentiality and integrity impact. No known exploits have been reported in the wild. The vendor strongly recommends against using the WebConsole in production environments and advises deploying it only in fully isolated networks without access to sensitive data or internet connectivity to mitigate risks. This vulnerability highlights the risks of continuing to use unsupported legacy software in critical environments.

For European organizations, the direct impact of CVE-2025-12776 is limited due to the low severity and the requirement for authenticated users with edit permissions to trigger the XSS. However, the presence of this vulnerability in an end-of-life product that is no longer maintained raises broader security concerns. If exploited, it could allow an attacker with legitimate access to execute arbitrary scripts in the context of the WebConsole interface, potentially leading to session hijacking, privilege escalation, or manipulation of report data. This could undermine data integrity and user trust. In sectors with stringent data protection regulations such as GDPR, even low-severity vulnerabilities in legacy systems can pose compliance risks if they lead to unauthorized data exposure or system compromise. Additionally, the use of unsupported software increases the attack surface and may attract adversaries targeting legacy infrastructure. Organizations relying on Commvault WebConsole for backup and data management should assess the risk of continued use, especially in environments handling sensitive or regulated data, and consider the potential operational impact of a compromise.

1. Immediately discontinue use of the Commvault WebConsole product in production environments, as it is end-of-life and unsupported. 2. If continued use is unavoidable, deploy the WebConsole within a fully isolated network segment that has no access to sensitive data repositories or internet connectivity to contain potential exploitation. 3. Restrict access to the Report Builder component strictly to trusted administrators with a clear need for edit permissions, minimizing the number of users who can trigger the vulnerability. 4. Implement strict network segmentation and access controls to limit exposure of the WebConsole interface. 5. Monitor logs and user activities related to report modifications for unusual or unauthorized behavior. 6. Consider migrating to supported Commvault products or alternative solutions that receive regular security updates. 7. Educate administrators about the risks of legacy software and the importance of timely patching and decommissioning unsupported systems. 8. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting the Report Builder interface. 9. Regularly review and update security policies to ensure legacy systems are identified and managed appropriately.