CISA Flags Actively Exploited Flaws in Broadcom and Commvault Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two newly discovered high-severity vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, warning of active exploitation in the wild.
The vulnerabilities include:
- CVE-2025-1976 (CVSS 8.6): A code injection flaw in Broadcom Brocade Fabric OS (versions 9.1.0 to 9.1.1d6) that allows local admin users to run arbitrary code with root access. Broadcom patched the issue in version 9.1.1d7.
- CVE-2025-3928 (CVSS 8.7): A vulnerability in Commvault Web Server that enables remote authenticated users to deploy web shells. Commvault clarified that exploitation requires valid credentials and internet-accessible systems. The issue affects specific versions of Windows and Linux software, now patched in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217.
While technical details remain undisclosed, CISA urges all Federal Civilian Executive Branch (FCEB) agencies to patch Commvault systems by May 17, 2025, and Broadcom Brocade Fabric OS by May 19, 2025.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
