Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two high-severity security flaws impacting Broadcom Brocade Fabric OS and Commvault Web Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2025-1976 (CVSS score: 8.6) - A code injection flaw
Analysis Summary
# Vulnerability: Actively Exploited Flaws in Broadcom Brocade and Commvault Web Server
## CVE Details
- CVE ID: CVE-2025-1976, CVE-2025-3928
- CVSS Score: 8.6 (High) for CVE-2025-1976; 8.7 (High) for CVE-2025-3928
- CWE: Not explicitly specified for both in the provided text.
## Affected Systems
- **CVE-2025-1976 (Broadcom):** Involves Broadcom Brocade Fabric OS.
- Versions: 9.1.0 through 9.1.1d6
- **CVE-2025-3928 (Commvault):** Involves Commvault Web Server.
- Versions:
- 11.36.0 - 11.36.45 (Fixed in 11.36.46)
- 11.32.0 - 11.32.88 (Fixed in 11.32.89)
- 11.28.0 - 11.28.140 (Fixed in 11.28.141)
- 11.20.0 - 11.20.216 (Fixed in 11.20.217)
## Vulnerability Description
**CVE-2025-1976 (Broadcom Brocade Fabric OS):** A code injection flaw resulting from improper IP Address validation. A local user with administrative privileges can execute arbitrary code with full root privileges, allowing them to run any existing Fabric OS command or modify the OS itself (including adding subroutines).
**CVE-2025-3928 (Commvault Web Server):** An unspecified flaw that allows a remote, authenticated attacker to create and execute web shells.
## Exploitation
- **Status:** Actively exploited in the wild (Both flaws added to CISA's KEV catalog).
- **Complexity (CVE-2025-1976):** Requires the attacker to already possess a role with admin privileges.
- **Complexity (CVE-2025-3928):** Requires the attacker to be authenticated. Unauthenticated attacks are reportedly not exploitable.
- **Attack Vector (CVE-2025-1976):** Local.
- **Attack Vector (CVE-2025-3928):** Remote (Requires authentication).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| **CVE-2025-1976** | Likely High (Root access) | High (Ability to modify OS) | Likely High |
| **CVE-2025-3928** | Not Specified | High (Web shell execution) | Not Specified |
## Remediation
### Patches
- **CVE-2025-1976 (Broadcom):** Fixed in **Fabric OS version 9.1.1d7**.
- **CVE-2025-3928 (Commvault):** Patches are available in the following minimum versions:
- 11.36.46
- 11.32.89
- 11.28.141
- 11.20.217
### Workarounds
- No specific workarounds were detailed in the provided context, other than prerequisites mentioned for Commvault exploitation (must be accessible via the internet, compromised via an unrelated method, and require legitimate user credentials).
## Detection
- **Indicators of Compromise (IoCs):** No public details on specific IoCs related to how the vulnerabilities have been exploited in the wild were provided in this summary.
- **Detection Methods and Tools:** The primary indicator is the presence and exploitation of these flaws, prompting mandatory patching under CISA directives for FCEB agencies. Monitoring for unusual command execution or unauthorized web shell creation on affected systems is advisable.
## References
- Vendor Advisory (Broadcom for CVE-2025-1976): hxxps://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25602
- Vendor Advisory (Commvault for CVE-2025-3928): hxxps://documentation.commvault.com/securityadvisories/CV_2025_03_1.html
- CISA KEV Catalog Update: hxxps://www.cisa.gov/news-events/alerts/2025/04/28/cisa-adds-three-known-exploited-vulnerabilities-catalog