Commvault | Breaking Cybersecurity News | The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two high-severity security flaws impacting Broadcom Brocade Fabric OS and Commvault Web Server to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2025-1976 (CVSS score: 8.6) - A code injection flaw affecting Broadcom Brocade Fabric OS that allows a local user with administrative privileges to execute arbitrary code with full root privileges CVE-2025-3928 (CVSS score: 8.7) - An unspecified flaw in the Commvault Web Server that allows a remote, authenticated attacker to create and execute web shells "Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment," Commvault said in an advisory released in February 2025. "Unauthenticated access is not exploitable. For software customers, this means your ...

A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations. The vulnerability, tracked as CVE-2025-34028 , carries a CVSS score of 9.0 out of a maximum of 10.0. "A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication," Commvault said in an advisory published on April 17, 2025. "This vulnerability could lead to a complete compromise of the Command Center environment." It impacts the 11.38 Innovation Release, from versions 11.38.0 through 11.38.19, and has been resolved in the following versions - 11.38.20 11.38.25 watchTowr Labs researcher Sonny Macdonald, who has been credited with discovering and reporting the flaw on April 7, 2025, said in a report shared with The Hacker News that it could be exploited to achieve pre-authenticated remote code execution. Specif...