The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory regarding two severe security vulnerabilities affecting key software products from Broadcom and Commvault. On Monday, CISA officially included these vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency of the situation due to confirmed evidence of active exploitation in the field.

The vulnerabilities are categorized as follows:

  • CVE-2025-1976 (CVSS score: 8.6) - This is a significant code injection vulnerability found in Broadcoms Brocade Fabric OS. It allows a local user who possesses administrative privileges to execute arbitrary code with root privileges.
  • CVE-2025-3928 (CVSS score: 8.7) - This vulnerability resides in the Commvault Web Server, permitting a remote, authenticated attacker to create and execute web shells.

Commvault detailed the implications of the second vulnerability in an advisory released in February 2025, clarifying that exploiting it necessitates the attacker having authenticated user credentials within the Commvault software environment. The advisory further emphasized that unauthenticated access is not a viable exploit path. For customers using this software, the risk is amplified if their environment is:

  1. Accessible via the internet
  2. Compromised through an unrelated security breach
  3. Accessed using legitimate user credentials

Both vulnerabilities affect multiple versions of the affected software. Specifically, the Commvault Web Server vulnerability impacts the following versions:

  • 11.36.0 - 11.36.45 (Fixed in 11.36.46)
  • 11.32.0 - 11.32.88 (Fixed in 11.32.89)
  • 11.28.0 - 11.28.140 (Fixed in 11.28.141)
  • 11.20.0 - 11.20.216 (Fixed in 11.20.217)

On the other hand, the vulnerability CVE-2025-1976 in Broadcoms Brocade Fabric OS is due to a flaw in the validation of IP addresses. This issue allows a local user with administrative rights to execute arbitrary code with root privileges on Fabric OS versions ranging from 9.1.0 to 9.1.1d6. Broadcom has since released a fix in version 9.1.1d7.

In its bulletin published on April 17, 2025, Broadcom warned that this vulnerability could enable an authorized user to execute any existing Fabric OS command or even modify the Fabric OS itself, which includes the potential to add custom subroutines. Importantly, although exploiting this vulnerability requires initial access with admin privileges, reports indicate that it is actively being exploited in real-world scenarios.

As of now, there are no public details concerning the specific methods of exploitation, the scale of these attacks, or the identities of the perpetrators involved. In light of these developments, CISA has advised Federal Civilian Executive Branch (FCEB) agencies to implement the necessary security patches for the vulnerable Commvault Web Server by May 17, 2025, and for Broadcom Brocade Fabric OS by May 19, 2025. Prompt action on these recommendations is crucial to safeguarding sensitive information and maintaining the integrity of systems affected by these critical vulnerabilities.