Full Report
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of Broadcom Brocade Fabric OS, Commvault web servers, and Qualitia Active! Mail clients vulnerabilities that are actively exploited in attacks. [...]
Analysis Summary
# Vulnerability: Active Exploitation of Flaws in Broadcom Fabric OS, CommVault, and Active! Mail
## CVE Details
- CVE ID: CVE-2025-1976, CVE-2025-3928, CVE-2025-42599
- CVSS Score: Not explicitly listed, but high severity is implied by CISA inclusion and active exploitation.
- CWE: Not explicitly listed, but hints suggest Arbitrary Code Execution (ACE) and Buffer Overflow.
## Affected Systems
- **Products:**
- Broadcom Fabric OS
- Commvault (Windows and Linux platforms)
- Active! Mail
- **Versions:**
- Broadcom Fabric OS: Versions 9.1.0 through 9.1.1d6.
- Commvault: Versions prior to 11.36.46, 11.32.89, 11.28.141, and 11.20.217.
- Active! Mail: All versions up to and including 'BuildInfo: 6.60.05008561'.
- **Configurations:**
- Active! Mail is noted as widely used by government, financial, and IT service organizations in Japan.
## Vulnerability Description
The summary covers three distinct vulnerabilities flagged by CISA as being actively exploited:
1. **CVE-2025-1976 (Broadcom Fabric OS):** An arbitrary code execution flaw. If an attacker has valid administrative access, they can execute any existing Fabric OS command or modify the system, including adding custom subroutines.
2. **CVE-2025-3928 (Commvault):** An unspecified vulnerability allowing authenticated attackers to remotely plant webshells on target user-facing web servers and API components used for backup systems.
3. **CVE-2025-42599 (Active! Mail):** A stack-based buffer overflow problem affecting the web-based email client.
## Exploitation
- **Status:** Actively exploited in the wild for all three reported CVEs.
- **Complexity:**
- CVE-2025-1976: Requires prior valid admin privileges.
- CVE-2025-3928: Requires authentication.
- **Attack Vector:**
- CVE-2025-1976: Likely local or network post-authentication.
- CVE-2025-3928: Remote (requires authentication and exposure to the internet).
- CVE-2025-42599: Implied remote code execution leading to system outages.
## Impact
- **Confidentiality:** High (RCE possibility, webshell planting).
- **Integrity:** High (Ability to modify Fabric OS, plant webshells).
- **Availability:** High (Exploitation activity caused outages for Japanese ISPs/SMB providers related to Active! Mail).
## Remediation
### Patches
- **Broadcom Fabric OS:** Released Brocade Fabric OS **9.1.1d7**. (Branch 9.2.0 is not impacted).
- **Commvault:** Fixed in versions **11.36.46, 11.32.89, 11.28.141, and 11.20.217** for Windows and Linux.
- **Active! Mail:** Fixed in version **Active! Mail 6 BuildInfo: 6.60.06008562**.
### Workarounds
- CISA enforcement dates imply that applying fixes or available mitigations is required by May 17, 2025 (for CVE-2025-3928) and May 19, 2025 (for the other two). Specific workarounds are not detailed in this summary but should be sought from vendor advisories.
## Detection
- **Indicators of Compromise:** Successful exploitation would likely result in unauthorized code execution, creation of unauthorized user accounts/subroutines (Fabric OS), or the presence of webshells on Commvault servers.
- **Detection methods and tools:** Monitoring for post-authentication command execution attempts in Fabric OS logs, and scanning Commvault web servers for unauthorized file creation/webshell activity. Relevant security solutions should be updated to detect signatures related to the known active exploitation campaigns.
## References
- Broadcom bulletin: support[dot]broadcom[dot]com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25602
- Commvault advisory: documentation[dot]commvault[dot]com/securityadvisories/CV_2025_03_1[dot]html
- Active! Mail exploitation confirmation: bleepingcomputer[dot]com/news/security/active-mail-rce-flaw-exploited-in-attacks-on-japanese-orgs/