CVE-2025-1976
published 2025-04-24CVE-2025-1976: Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with…
PriorityP179medium6.7CVSS 3.1
AVLACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-05-19
Exploited in the wild
EPSS
0.74%
49.8th percentile
Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | fabric_operating_system | >= 9.1.0 < 9.1.1d7 | 9.1.1d7 |
| brocade | fabric_os | — | — |
| msrc | cbl2_kernel_5.15.70.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_kernel_5.10.144.1-1_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-1976 is confirmed actively exploited in the field against Brocade Fabric OS versions 9.1.0 through 9.1.1d6; treat any admin-level activity on these versions as high-risk and prioritize alerting. ↗
- →Classify CVE-2025-1976 as a code injection vulnerability enabling full root privilege escalation from an admin account on affected Brocade Fibre Channel switches managing SANs; audit all admin-role accounts on affected devices. ↗
- ·Only Fabric OS versions 9.1.0 through 9.1.1d6 are affected; version 9.1.1d7 contains the fix and the 9.2.0 branch is not impacted — scope detection rules accordingly. ↗
- ·Exploitation requires a pre-existing valid local account with admin-role privileges; this is not a remote unauthenticated vector, so detection should focus on privileged insider or compromised admin credential scenarios. ↗
- ·Broadcom's advisory (https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25602) is the authoritative vendor source for patch and mitigation details; CISA remediation deadline is 2025-05-19. ↗
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.6HIGH
cisa8.6HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Broadcom Brocade Fabric OS Code Injection Vulnerability
cisa·2025-04-28·CVSS 8.6
CVE-2025-1976 [HIGH] CWE-94 Broadcom Brocade Fabric OS Code Injection Vulnerability
Vulnerability: Broadcom Brocade Fabric OS Code Injection Vulnerability
Affected: Broadcom Brocade Fabric OS
Broadcom Brocade Fabric OS contains a code injection vulnerability that allows a local user with administrative privileges to execute arbitrary code with full root privileges.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25602 ; https://nvd.nist.gov/vuln/detail/CVE-2025-1976
Remediation Due Date: 2025-05-19
Microsoft
A flaw was found in the Linux kernel’s implementation of IO-URING. This flaw allows an attacker with local executable permission to create a string of requests that can cause a use-after-free flaw wit
vendor_msrc·2022-08-09·CVSS 7.8
CVE-2022-1976 [HIGH] CWE-416 A flaw was found in the Linux kernel’s implementation of IO-URING. This flaw allows an attacker with local executable permission to create a string of requests that can cause a use-after-free flaw wit
A flaw was found in the Linux kernel’s implementation of IO-URING. This flaw allows an attacker with local executable permission to create a string of requests that can cause a use-after-free flaw within the kernel. This issue leads to memory corruption and possible privilege escalation.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post
GHSA
GHSA-73hp-3m9v-h54h: Brocade Fabric OS versions starting with 9
ghsa_unreviewed·2025-04-24
CVE-2025-1976 [HIGH] CWE-78 GHSA-73hp-3m9v-h54h: Brocade Fabric OS versions starting with 9
Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6.
VulnCheck
Broadcom Brocade Fabric OS Code Injection Vulnerability
vulncheck·2025·CVSS 8.6
CVE-2025-1976 [HIGH] CWE-94 Broadcom Brocade Fabric OS Code Injection Vulnerability
Broadcom Brocade Fabric OS Code Injection Vulnerability
Broadcom Brocade Fabric OS contains a code injection vulnerability that allows a local user with administrative privileges to execute arbitrary code with full root privileges.
Affected: Broadcom Brocade Fabric OS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25602; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Remediation Due: 2025-05-19
No detection rules found.
No public exploits indexed.
2025-04-24
Published
2025-04-28
Added to CISA KEV
Exploited in the wild