cbcvebase.
CVE-2025-3928
published 2025-04-25

CVE-2025-3928: Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory…

PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-05-19
Exploited in the wild
EPSS
1.93%
77.5th percentile
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

Affected

9 ranges
VendorProductVersion rangeFixed in
commvaultcommvault>= 11.20.0 < 11.20.21711.20.217
commvaultcommvault>= 11.28.0 < 11.28.14111.28.141
commvaultcommvault>= 11.32.0 < 11.32.8911.32.89
commvaultcommvault>= 11.36.0 < 11.36.4611.36.46
commvaultweb_server>= 11.20.0 < 11.20.21711.20.217
commvaultweb_server>= 11.28.0 < 11.28.14111.28.141
commvaultweb_server>= 11.32.0 < 11.32.8911.32.89
commvaultweb_server>= 11.36.0 < 11.36.4611.36.46
msrccm1_vim_8.2.3582-1_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

otherwebshell creation and execution on Commvault Web Server
  • Monitor for webshell creation and execution artifacts on Commvault Web Server hosts (Windows and Linux). Attacker must be remote and authenticated; look for anomalous authenticated sessions followed by new script/web file writes in the Commvault web server directories.
  • Monitor sign-in activity to detect access attempts originating from IP addresses outside of allowed ranges, particularly for Microsoft 365, Dynamics 365, and Azure AD single-tenant App registrations associated with Commvault.
  • Apply a Conditional Access policy to all Microsoft 365, Dynamics 365, and Azure AD single-tenant App registrations to detect and block unauthorized access attempts leveraging compromised Commvault credentials or app registrations.
  • Rotate and monitor client secrets between Commvault and the Azure portal; unexpected or unauthorized client secret usage may indicate post-exploitation activity following CVE-2025-3928 exploitation.
  • Prioritize patching Commvault Web Server to fixed versions: 11.36.46, 11.32.89, 11.28.141, or 11.20.217 on both Windows and Linux. Unpatched instances exposed to the internet with authenticated access are confirmed exploitation targets.
  • ·Exploitation requires the attacker to be remote AND authenticated (low-privilege authenticated access is sufficient). Internet-exposed Commvault Web Server instances are at highest risk.
  • ·The vulnerability is described as 'unspecified' — no technical details of the root cause or specific webshell payload have been publicly disclosed, limiting signature-based detection to behavioral indicators.
  • ·Vendor advisory and IOC document are available at the Commvault security advisory page; defenders should consult the official IOC list published by Commvault for the most current indicators.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
cisa8.7HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.