CVE-2025-12776 identifies a Cross-Site Scripting (XSS) vulnerability in the Report Builder component of the Commvault WebConsole product, specifically affecting versions 11.32.0 and 11.36.0. The issue stems from improper neutralization of user input (CWE-79) during web page generation, where input is stored directly in the report's web page without validation. This allows an attacker with edit permissions to inject malicious scripts that execute when the report is modified in the Report Builder interface. Notably, the scripts do not execute when the report is simply viewed or run by end users, limiting the attack surface. The WebConsole package is end-of-life and no longer maintained, meaning no patches or security updates will be provided, increasing the risk of exploitation if deployed. The vulnerability requires a user with edit privileges and user interaction to trigger script execution, which reduces its exploitability. The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial authentication required, user interaction needed, and low impact on confidentiality and integrity, with no impact on availability. No known exploits have been reported in the wild. The vendor strongly recommends against using the WebConsole in production environments and suggests isolating it in fully segmented networks if used for legacy functionality like the Report Builder.

For European organizations, the impact of this vulnerability is relatively low due to the limited execution context and requirement for edit permissions. However, if exploited, it could allow an attacker with legitimate edit access to execute malicious scripts within the Report Builder interface, potentially leading to session hijacking, privilege escalation, or lateral movement within the isolated environment. Since the WebConsole is end-of-life and no longer supported, organizations relying on it face increased risk from unpatched vulnerabilities and lack of vendor support. The isolation recommendation is critical to prevent exposure of sensitive data or systems. Organizations in sectors with strict data protection regulations (e.g., GDPR) must be cautious, as any compromise could lead to data breaches or compliance violations. The low CVSS score reflects limited impact, but the risk is amplified by the product's unsupported status and potential for overlooked vulnerabilities.

Given the WebConsole is end-of-life, the primary mitigation is to discontinue its use in production environments entirely. If continued use is unavoidable, deploy the WebConsole and Report Builder within a fully isolated network segment that has no connectivity to sensitive data repositories or the internet. Restrict edit permissions strictly to trusted administrators and monitor all report modifications for suspicious activity. Employ network segmentation and strict access controls to limit exposure. Consider migrating to supported Commvault products or alternative solutions that receive regular security updates. Additionally, implement web application firewalls (WAFs) to detect and block potential XSS payloads targeting the Report Builder interface. Regularly audit user permissions and logs to detect unauthorized access or attempts to exploit this vulnerability. Since no patches are available, compensating controls and isolation are essential.