The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added two high-severity safety flaws impacting Broadcom Brocade Cloth OS and Commvault Internet Server to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation within the wild.
The vulnerabilities in query are listed beneath –
- CVE-2025-1976 (CVSS rating: 8.6) – A code injection flaw affecting Broadcom Brocade Cloth OS that permits a neighborhood person with administrative privileges to execute arbitrary code with full root privileges
- CVE-2025-3928 (CVSS rating: 8.7) – An unspecified flaw within the Commvault Internet Server that permits a distant, authenticated attacker to create and execute net shells
“Exploiting this vulnerability requires a nasty actor to have authenticated person credentials throughout the Commvault Software program atmosphere,” Commvault mentioned in an advisory launched in February 2025.
“Unauthenticated entry shouldn’t be exploitable. For software program prospects, this implies your atmosphere have to be: (i) accessible through the web, (ii) compromised by way of an unrelated avenue, and (iii) accessed leveraging reputable person credentials.”
The vulnerability impacts the next Home windows and Linux variations –
- 11.36.0 – 11.36.45 (Mounted in 11.36.46)
- 11.32.0 – 11.32.88 (Mounted in 11.32.89)
- 11.28.0 – 11.28.140 (Mounted in 11.28.141)
- 11.20.0 – 11.20.216 (Mounted in 11.20.217)
As for CVE-2025-1976, Broadcom mentioned that attributable to a flaw in IP Deal with validation, a neighborhood person with the admin privilege can doubtlessly execute arbitrary code with root privileges on Cloth OS variations 9.1.0 by way of 9.1.1d6. It has been mounted in model 9.1.1d7.
“This vulnerability can permit the person to execute any present Cloth OS command or can be used to switch the Cloth OS itself, together with including their very own subroutines,” Broadcom famous in a bulletin printed on April 17, 2025.
“Though reaching this exploit first requires legitimate entry to a task with admin privileges, this vulnerability has been actively exploited within the area.”
There are presently no public particulars on how both of the vulnerabilities have been exploited within the wild, the dimensions of the assaults, and who could also be behind them.
Federal Civilian Government Department (FCEB) businesses are really helpful to use the required patches for the Commvault Internet Server by Might 17, 2025, and Broadcom Brocade Cloth OS by Might 19, respectively.
