The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two exploited flaws to its KEV catalog. These vulnerabilities affect Commvault Web Server and Broadcom Brocade Fabric OS, both of which pose high risks. CISA confirmed that malicious actors are actively exploiting these flaws in real-world environments. Organizations are advised to act promptly to reduce the risk of compromise.
The first flaw, CVE-2025-3928, targets Commvault Web Server on both Windows and Linux platforms.
Remote attackers with valid credentials can execute webshells and gain persistent system access. Commvault clarified that exploitation requires the environment to be online and already compromised. The vulnerability was patched in updates released for affected versions as early as February 2025.
The second vulnerability, CVE-2025-1976, affects Broadcom Brocade Fabric OS from version 9.1.0 to 9.1.1d6.
It allows local admin users to execute arbitrary code with full root privileges. Broadcom identified the cause as improper IP address validation within the operating system. The company issued a patch in version 9.1.1d7 to correct this issue.
CISA issued a deadline of May 17, 2025, for Commvault patches and May 19, 2025, for Broadcom Fabric OS patches. These deadlines apply to Federal Civilian Executive Branch agencies under BOD 22-01. Other organizations are also urged to prioritize remediation immediately. Although no technical details are public, active exploitation underscores the urgency for swift patching.
Federal agencies must urgently apply Commvault patches by May 17 and Broadcom Fabric OS patches by May 19, 2025, in compliance with CISA’s BOD 22-01.
All organizations, despite the lack of public technical details, should treat the threat as active and prioritize immediate remediation to mitigate potential exploitation.