The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical vulnerability in Commvault’s Web Server, identified as CVE-2025-3928, to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion indicates that threat actors are actively exploiting this flaw in real-world scenarios. Federal agencies have been directed to remediate this vulnerability by May 17, 2025, in line with Binding Operational Directive (BOD) 22-01.
Understanding CVE-2025-3928
CVE-2025-3928 is an unspecified vulnerability within Commvault’s Web Server component that allows remote, authenticated attackers to create and execute webshells on compromised systems. Webshells are malicious scripts that provide persistent access to a server, enabling attackers to execute arbitrary commands with the same privileges as the web server. This can lead to complete server compromise, unauthorized data access, service disruptions, and potential data integrity issues.
The National Vulnerability Database has assigned this flaw a CVSS base score of 8.8, categorizing it as high severity. The Exploit Prediction Scoring System (EPSS) has given it a score of 0.10%, suggesting a low probability of exploitation in the next 30 days. However, CISA’s inclusion of this vulnerability in the KEV catalog confirms that exploitation is already occurring.
Affected Systems and Patched Versions
This vulnerability impacts Commvault Web Server deployments on both Windows and Linux platforms. The affected versions include:
– 11.20.0 to 11.20.216
– 11.28.0 to 11.28.140
– 11.32.0 to 11.32.88
– 11.36.0 to 11.36.45
Commvault has addressed this vulnerability in the following versions:
– 11.20.217
– 11.28.141
– 11.32.89
– 11.36.46
Organizations running earlier versions remain vulnerable and are urged to update to the patched versions immediately.
Recommended Actions
CISA recommends that organizations take the following actions by the May 17 deadline:
1. Apply Mitigations: Follow the vendor’s instructions to apply the necessary patches.
2. Adhere to BOD 22-01 Guidance: For cloud services, follow the applicable directives outlined in BOD 22-01.
3. Discontinue Use: If mitigations are unavailable, consider discontinuing the use of the affected product.
While BOD 22-01 requirements formally apply to Federal Civilian Executive Branch (FCEB) agencies, CISA strongly encourages all organizations to prioritize the timely remediation of catalog vulnerabilities as part of their security practices.
Broader Implications
The active exploitation of CVE-2025-3928 underscores the evolving threat landscape where attackers increasingly target backup and data management systems. These systems often contain sensitive information and are integral to business continuity, making them attractive targets.
Organizations should not only apply the necessary patches but also implement comprehensive security measures, including:
– Regular Vulnerability Assessments: Conduct periodic scans to identify and remediate potential security flaws.
– Continuous Monitoring: Deploy monitoring solutions to detect unauthorized access and unusual activity within the network.
– Access Controls: Ensure that only authorized personnel have access to critical systems and data.
– Incident Response Planning: Develop and regularly update incident response plans to swiftly address potential breaches.
By taking these proactive steps, organizations can enhance their security posture and mitigate the risks associated with vulnerabilities like CVE-2025-3928.
