CISA Flags Actively Exploited Flaws in Commvault and Broadcom Systems, Urges Prompt Patching

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about two newly identified, actively exploited security flaws—one in Broadcom Brocade Fabric OS and the other in Commvault Web Server—adding them to its Known Exploited Vulnerabilities (KEV) catalog due to verified exploitation in real-world attacks.

The two vulnerabilities are:

• CVE-2025-1976 (CVSS score: 8.6): A code injection flaw in Broadcom’s Brocade Fabric OS that allows users with administrative access to execute arbitrary commands with root-level privileges. The flaw stems from improper IP address validation and affects versions 9.1.0 to 9.1.1d6. A fix is available in version 9.1.1d7.

• CVE-2025-3928 (CVSS score: 8.7): A remote code execution flaw in the Commvault Web Server, which enables an authenticated attacker to deploy and run web shells. Although it requires valid credentials, Commvault emphasized that the attack scenario presumes the environment is internet-accessible, compromised through a separate vector, and the attacker has acquired legitimate user credentials.

Commvault disclosed the vulnerability in February 2025, and it affects multiple versions of its software across Windows and Linux platforms, with patches issued in:

• Version 11.36.46 (for the 11.36.x series)

• Version 11.32.89 (for the 11.32.x series)

• Version 11.28.141 (for the 11.28.x series)

• Version 11.20.217 (for the 11.20.x series)

Broadcom, in an April 17, 2025 bulletin, clarified that CVE-2025-1976 could be exploited to alter Fabric OS, add custom subroutines, or run any OS command—despite requiring admin-level access. Still, evidence of active in-the-wild exploitation has prompted urgent attention.

At this time, no technical details or attack attribution have been disclosed publicly. However, federal agencies have been directed to patch affected Commvault systems by May 17, 2025, and Broadcom systems by May 19, 2025, to mitigate the risks.