The U.S. Cybersecurity & Infrastructure Safety Company (CISA) is warning of Broadcom Brocade Cloth OS, Commvault net servers, and Qualitia Energetic! Mail shoppers vulnerabilities which might be actively exploited in assaults.
The failings had been added yesterday to CISA’s ‘Recognized Exploited Vulnerabilities’ (KEV) catalog, with the Broadcom Brocade Cloth OS and Commvault flaws not beforehand tagged as exploited.
Broadcom Brocade Cloth OS is a specialised working system that runs on the corporate’s Brocade Fibre Channel switches to handle and optimize storage space networks (SAN).
Earlier this month, Broadcom disclosed an arbitrary code execution flaw impacting Cloth OS variations 9.1.0 by means of 9.1.1d6, tracked underneath CVE-2025-1976.
Whereas the flaw requires admin privileges to take advantage of, Broadcom says it has been actively exploited in assaults.
“This vulnerability can permit the person to execute any present Cloth OS command or may also be used to change the Cloth OS itself, together with including their very own subroutines,” reads Broadcom’s bulletin.
“Although attaining this exploit first requires legitimate entry to a job with admin privileges, this vulnerability has been actively exploited within the area.”
CVE-2025-1976 was addressed with the discharge of Brocade Cloth OS 9.1.1d7. The newest department, 9.2.0, will not be impacted by this vulnerability.
The Commvault flaw, tracked underneath CVE-2025-3928, is an unspecified safety drawback that authenticated attackers can exploit remotely to plant webshells on the right track servers.
Commvault net servers are user-facing and API parts of a backup system utilized by enterprises to guard and restore important information.
Regardless of the necessities for authentication and publicity of the surroundings to the web, the flaw is underneath lively exploitation within the wild.
CVE-2025-3928 was fastened in variations 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Home windows and Linux platforms.
The third flaw CISA added to KEV is CVE-2025-42599, a stack-based buffer overflow drawback impacting all variations of Energetic! as much as and together with ‘BuildInfo: 6.60.05008561’ on all OS platforms.
Energetic! mail is a web-based electronic mail consumer extensively utilized by authorities, monetary, and IT service organizations in Japan.
The flaw was flagged as actively exploited final week by Japan’s CERT, whereas SMB suppliers and ISPs within the nation additionally introduced service outages brought on by associated exploitation exercise.
Qualitia addressed the issue with the discharge of Energetic! Mail 6 BuildInfo: 6.60.06008562.
CISA has given impacted organizations till Could 17, 2025, to use fixes or out there mitigations for CVE-2025-3928 and Could 19, 2025, for the opposite two flaws.
