CVE-2025-3928
published 2025-04-25CVE-2025-3928: Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory…
PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-05-19
Exploited in the wild
EPSS
1.93%
77.5th percentile
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| commvault | commvault | >= 11.20.0 < 11.20.217 | 11.20.217 |
| commvault | commvault | >= 11.28.0 < 11.28.141 | 11.28.141 |
| commvault | commvault | >= 11.32.0 < 11.32.89 | 11.32.89 |
| commvault | commvault | >= 11.36.0 < 11.36.46 | 11.36.46 |
| commvault | web_server | >= 11.20.0 < 11.20.217 | 11.20.217 |
| commvault | web_server | >= 11.28.0 < 11.28.141 | 11.28.141 |
| commvault | web_server | >= 11.32.0 < 11.32.89 | 11.32.89 |
| commvault | web_server | >= 11.36.0 < 11.36.46 | 11.36.46 |
| msrc | cm1_vim_8.2.3582-1_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for webshell creation and execution artifacts on Commvault Web Server hosts (Windows and Linux). Attacker must be remote and authenticated; look for anomalous authenticated sessions followed by new script/web file writes in the Commvault web server directories. ↗
- →Monitor sign-in activity to detect access attempts originating from IP addresses outside of allowed ranges, particularly for Microsoft 365, Dynamics 365, and Azure AD single-tenant App registrations associated with Commvault. ↗
- →Apply a Conditional Access policy to all Microsoft 365, Dynamics 365, and Azure AD single-tenant App registrations to detect and block unauthorized access attempts leveraging compromised Commvault credentials or app registrations. ↗
- →Rotate and monitor client secrets between Commvault and the Azure portal; unexpected or unauthorized client secret usage may indicate post-exploitation activity following CVE-2025-3928 exploitation. ↗
- →Prioritize patching Commvault Web Server to fixed versions: 11.36.46, 11.32.89, 11.28.141, or 11.20.217 on both Windows and Linux. Unpatched instances exposed to the internet with authenticated access are confirmed exploitation targets. ↗
- ·Exploitation requires the attacker to be remote AND authenticated (low-privilege authenticated access is sufficient). Internet-exposed Commvault Web Server instances are at highest risk. ↗
- ·The vulnerability is described as 'unspecified' — no technical details of the root cause or specific webshell payload have been publicly disclosed, limiting signature-based detection to behavioral indicators. ↗
- ·Vendor advisory and IOC document are available at the Commvault security advisory page; defenders should consult the official IOC list published by Commvault for the most current indicators. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
cisa8.7HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wqxv-v2vg-q37x: Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker
ghsa_unreviewed·2025-04-25
CVE-2025-3928 [HIGH] GHSA-wqxv-v2vg-q37x: Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms.
VulnCheck
Commvault Web Server Unspecified Vulnerability
vulncheck·2025·CVSS 8.7
CVE-2025-3928 [HIGH] Commvault Web Server Unspecified Vulnerability
Commvault Web Server Unspecified Vulnerability
Commvault Web Server contains an unspecified vulnerability that allows a remote, authenticated attacker to create and execute webshells.
Affected: Commvault Web Server
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.commvault.com/blogs/security-advisory-march-7-2025; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.commvault.com/blogs/customer-security-update; https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic; https://www.nextgov.com
CISA
Commvault Web Server Unspecified Vulnerability
cisa·2025-04-28·CVSS 8.7
CVE-2025-3928 [HIGH] Commvault Web Server Unspecified Vulnerability
Vulnerability: Commvault Web Server Unspecified Vulnerability
Affected: Commvault Web Server
Commvault Web Server contains an unspecified vulnerability that allows a remote, authenticated attacker to create and execute webshells.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html; https://www.commvault.com/blogs/notice-security-advisory-update; https://nvd.nist.gov/vuln/detail/CVE-2025-3928
Remediation Due Date: 2025-05-19
Microsoft
Use of Uninitialized Variable in vim/vim
vendor_msrc·2021-11-09·CVSS 7.8
CVE-2021-3928 [HIGH] CWE-457 Use of Uninitialized Variable in vim/vim
Use of Uninitialized Variable in vim/vim
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
@huntrdev: @huntrdev
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.micros
No detection rules found.
No public exploits indexed.
Wiz
Crying Out Cloud Newsletter - June 2025 | Wiz
blogs_wiz·2025-06-01·CVSS 9.8
[CRITICAL] Crying Out Cloud Newsletter - June 2025 | Wiz
Welcome back!
This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Here are our top picks of cloud security highlights!
## 🔍 Highlights
## Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild
On May 13th, 2025, Ivanti disclosed that Endpoint Manager Mobile (EPMM) is affected by a vulnerability chain combining an authentication bypass (CVE-2025-4427) and a post-authentication remote code execution vulnerability (CVE-2025-4428). These flaws, which stem from unsafe use of Java Expression Language in error messages and misconfigured routing, can be exploited together to achieve unauthenticated RCE. Therefore, while neither of t
Bleepingcomputer
Commvault says recent breach didn't impact customer backup data
blogs_bleepingcomputer·2025-04-30
Commvault says recent breach didn't impact customer backup data
## Commvault says recent breach didn't impact customer backup data
## Sergiu Gatlan
Commvault, a leading provider of data protection solutions, says a nation-state threat actor who breached its Azure environment didn't gain access to customer backup data.
Listed on NASDAQ since March 2006, Commvault is included in the S&P MidCap 400 Index and provides cyber resilience services to over 100,000 organizations.
As the company first revealed on March 7 , 2025, Commvault discovered the incident after being notified by Microsoft on February 20 of suspicious activity within its Azure environment. A follow-up investigation into the breach found that the incident only affected a small number of Commvault customers and had not impacted the company's operations.
"Importantly, there has been no un
Bleepingcomputer
CISA tags Broadcom Fabric OS, CommVault flaws as exploited in attacks
blogs_bleepingcomputer·2025-04-29·CVSS 8.6
[HIGH] CISA tags Broadcom Fabric OS, CommVault flaws as exploited in attacks
## CISA tags Broadcom Fabric OS, CommVault flaws as exploited in attacks
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of Broadcom Brocade Fabric OS, Commvault web servers, and Qualitia Active! Mail clients vulnerabilities that are actively exploited in attacks.
The flaws were added yesterday to CISA's 'Known Exploited Vulnerabilities' (KEV) catalog , with the Broadcom Brocade Fabric OS and Commvault flaws not previously tagged as exploited.
Broadcom Brocade Fabric OS is a specialized operating system that runs on the company's Brocade Fibre Channel switches to manage and optimize storage area networks (SAN).
Earlier this month, Broadcom disclosed an arbitrary code execution flaw impacting Fabric OS versions 9.1.0 through 9.1.1d6, tracked und
Bugzilla
CVE-2024-21536 http-proxy-middleware: Denial of Service
bugzilla·2024-10-19·CVSS 7.5
CVE-2024-21536 [HIGH] CVE-2024-21536 http-proxy-middleware: Denial of Service
CVE-2024-21536 http-proxy-middleware: Denial of Service
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.
Discussion:
This issue has been addressed in the following products:
Red Hat OpenShift Service Mesh 2.6 for RHEL 8
Red Hat OpenShift Service Mesh 2.6 for RHEL 9
Via RHSA-2024:9627 https://access.redhat.com/errata/RHSA-2024:9627
---
This issue has been addressed in the following products:
Red Hat Advanced Cluster Security 4.5
Via RHSA-2025:3928 https://access.redhat.com/errata/RHSA-2025:3928
---
This issue has been addressed in the fol
https://documentation.commvault.com/securityadvisories/CV_2025_03_1.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallichttps://www.commvault.com/blogs/customer-security-updatehttps://www.commvault.com/blogs/notice-security-advisory-updatehttps://www.commvault.com/blogs/security-advisory-march-7-2025https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3928
2025-04-25
Published
2025-04-28
Added to CISA KEV
Exploited in the wild