The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These flaws, affecting Broadcom Brocade Fabric OS and Commvault Web Server, have been actively exploited in the wild. CISA’s advisory highlights the importance of patching these issues to mitigate the risks posed to critical infrastructure.
Vulnerabilities Impacting Broadcom and Commvault Systems
The two vulnerabilities are as follows:
- CVE-2025-1976 (CVSS score: 8.6): A code injection flaw in Broadcom Brocade Fabric OS that allows local users with administrative privileges to execute arbitrary code with root access.
- CVE-2025-3928 (CVSS score: 8.7): A vulnerability in the Commvault Web Server enabling authenticated remote attackers to create and execute web shells.
While CVE-2025-3928 requires the attacker to be authenticated, Commvault explained in its February 2025 advisory that the exploit path is not possible without prior access to legitimate user credentials. This means the environment must meet several conditions, including:
- Accessible via the internet.
- Compromised through another vulnerability.
- Accessed by using legitimate user credentials.
This creates a layered risk, but highlights the critical importance of controlling access and monitoring for unusual activity.
For Broadcom’s Fabric OS vulnerability, attackers with admin-level privileges can exploit an issue with IP address validation to run arbitrary code. Affected systems are running Fabric OS versions 9.1.0 through 9.1.1d6, with a fix available in 9.1.1d7.
Affected Versions and Patching Timeline
Commvault Web Server (CVE-2025-3928):
The vulnerability affects Windows and Linux versions of Commvault Web Server:
- 11.36.0 – 11.36.45 (fixed in 11.36.46)
- 11.32.0 – 11.32.88 (fixed in 11.32.89)
- 11.28.0 – 11.28.140 (fixed in 11.28.141)
- 11.20.0 – 11.20.216 (fixed in 11.20.217)
For Federal Civilian Executive Branch (FCEB) agencies, patches must be applied by May 17, 2025.
Broadcom Brocade Fabric OS (CVE-2025-1976):
Broadcom’s vulnerability in Brocade Fabric OS versions 9.1.0 to 9.1.1d6 can be patched in version 9.1.1d7. The fix should be applied by May 19, 2025.
Both vulnerabilities have been actively exploited in the field, though details regarding the scale, methods, and perpetrators behind these attacks are still unknown.
Broadcom’s advisory notes that the vulnerability in Fabric OS can allow attackers to execute any command within the system, or even modify Fabric OS itself, including inserting custom subroutines. This makes the flaw particularly dangerous, as it offers potential attackers full control over vulnerable systems.
CISA urges all organizations to prioritize the patching of these vulnerabilities, especially given the active exploitation observed. FCEB agencies must apply the necessary patches before the May 17 and 19, 2025 deadlines to avoid potential exploitation.
