search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Commvault Edge contains a buffer overflow vulnerability

Vulnerability Note VU#214283

Original Release Date: 2017-03-16 | Last Revised: 2017-03-16


Commvault Edge, version 11 SP6 (, is vulnerable to a stack-based buffer overflow vulnerability.


CWE-121: Stack-based Buffer Overflow - CVE-2017-3195

A stack based buffer overflow in the Commvault Edge Communication Service (cvd) allows remote attackers to execute arbitrary code via crafted packets, exploiting weaknesses in the key exchange mechanism. Access to TCP port 8400 (by default) on the target machine is necessary to exploit this vulnerability.


An unauthenticated remote attacker can execute arbitrary code with root/SYSTEM privileges.


Apply an update
Commvault has provided fixes in the latest service pack (SP7 and above) to address the vulnerability. SP6 customers can use hotfix 590.

Vendor Information


Commvault Affected

Notified:  January 24, 2017 Updated: March 16, 2017



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 2.0 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Claudio Moletta for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2017-3195
Date Public: 2017-03-15
Date First Published: 2017-03-16
Date Last Updated: 2017-03-16 13:26 UTC
Document Revision: 10

Sponsored by CISA.