⚠ Actively exploited

Added to CISA KEV on 2025-04-28. Federal agencies required to patch by 2025-05-19. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-1976 — Code Injection in Fabric Operating System

CWE-94 — Code Injection CWE-78 — OS Command Injection CWE-416 — Use After Free6 documents6 sources

Severity

8.6HIGHNVD

EPSS

0.9%

top 23.65%

CISA KEV

KEV

Added 2025-04-28

Due 2025-05-19

Exploit

No known exploits

Affected products

Broadcom Fabric Operating System Brocade Fabric OS

Timeline

PublishedApr 24

KEV addedApr 28

KEV dueMay 19

CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6.

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5brocade/fabric_osFabric OS versions 9.1.0 through 9.1.1d6

▶NVDbroadcom/fabric_operating_system9.1.0 — 9.1.1d7

🔴Vulnerability Details

CVEList

Code injection exposure in Fabric OS 9.1.0 through 9.1.1d6↗2025-04-24

▶

GHSA

GHSA-73hp-3m9v-h54h: Brocade Fabric OS versions starting with 9↗2025-04-24

▶

VulnCheck

Broadcom Brocade Fabric OS Code Injection Vulnerability↗2025

▶

📋Vendor Advisories

CISA

Broadcom Brocade Fabric OS Code Injection Vulnerability↗2025-04-28

▶

Microsoft

A flaw was found in the Linux kernel’s implementation of IO-URING. This flaw allows an attacker with local executable permission to create a string of requests that can cause a use-after-free flaw wit↗2022-08-09

▶