CISA warns about actively exploited Broadcom, Commvault vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) has added three new flaws to its Known Exploited Vulnerabilities catalog on Monday, affecting Commvault (CVE-2025-3928), Active! Mail (CVE-2025-42599), and Broadcom Brocade (CVE-2025-1976) solutions.
CISA’s KEV catalog is constantly updated and provides IT admins in US federal civilian agencies with instructions on how to remediate these threats and by which date (as mandated by the Binding Operational Directive 22-01), but this living document can also come in handy to other organizations around the world.
Vulnerabilities exploited as zero-days
CVE-2025-3928 is an unspecified vulnerability that affected the web server module in all Commvault CommServe, Web Servers, and Command Center software. It was fixed in late February 2024, after it was spotted being exploited in zero-day attacks by a nation-state threat actor.
“Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment. Unauthenticated access is not exploitable. For software customers, this means your environment must be: (i) accessible via the internet, (ii) compromised through an unrelated avenue, and (iii) accessed leveraging legitimate user credentials,” the company said.
In a recent update on the February attacks, Commvault said that only a small number of customers have been affected.
“Importantly, there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services,” the company added. Though, it has to be noted, the investigation into the incident is not over yet.
CVE-2025-3928 has been fixed in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms.
(As a side note: Commvault has recently patched a critical unauthenticated RCE flaw in Command Center vulnerability with a public PoC exploit.)
CVE-2025-42599 is a stack-based buffer overflow vulnerability in the Qualitia Active! Mail web-based email client.
It allows unauthenticated, remote attackers to achieve code execution or trigger a denial-of-service (DoS) condition by sending a specially crafted malicious request, and has been exploited by attackers in zero-day attacks to target organizations in Japan, where the solution is widely used.
Users have been advised to update to Active! Mail 6 BuildInfo: 6.60.06008562 as soon as possible.
FInally, CVE-2025-1976 is a code injection vulnerability in the Fabric OS, running on Broadcom Brocade data center networking and storage gear.
“Through a flaw in IP Address validation, a local user, assigned one of the pre-defined admin roles or a user-defined role with admin-level privileges, can execute arbitrary code as if they had full root level access,” Broadcom said in an advisory published nearly two weeks ago.
“This vulnerability can allow the user to execute any existing Fabric OS command or can also be used to modify the Fabric OS itself, including adding their own subroutines. Even though achieving this exploit first requires valid access to a role with admin privileges, this vulnerability has been actively exploited in the field.”
No additional details about the attacks have been shared. The vulnerability affects Brocade Fabric OS versions 9.1.0 through 9.1.1d6, and has been fixed in version 9.1.1d7.
“Brocade PSIRT recommends customers to upgrade to a version of Fabric OS that has removed root access for enhanced security where possible,” the company added.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!