The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added two high-severity safety flaws impacting Broadcom Brocade Cloth OS and Commvault Internet Server to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation within the wild.
The vulnerabilities in query are listed under –
- CVE-2025-1976 (CVSS rating: 8.6) – A code injection flaw affecting Broadcom Brocade Cloth OS that permits a neighborhood consumer with administrative privileges to execute arbitrary code with full root privileges
- CVE-2025-3928 (CVSS rating: 8.7) – An unspecified flaw within the Commvault Internet Server that permits a distant, authenticated attacker to create and execute internet shells
“Exploiting this vulnerability requires a nasty actor to have authenticated consumer credentials inside the Commvault Software program atmosphere,” Commvault stated in an advisory launched in February 2025.
“Unauthenticated entry shouldn’t be exploitable. For software program clients, this implies your atmosphere should be: (i) accessible by way of the web, (ii) compromised by an unrelated avenue, and (iii) accessed leveraging respectable consumer credentials.”
The vulnerability impacts the next Home windows and Linux variations –
- 11.36.0 – 11.36.45 (Mounted in 11.36.46)
- 11.32.0 – 11.32.88 (Mounted in 11.32.89)
- 11.28.0 – 11.28.140 (Mounted in 11.28.141)
- 11.20.0 – 11.20.216 (Mounted in 11.20.217)
As for CVE-2025-1976, Broadcom stated that as a result of a flaw in IP Handle validation, a neighborhood consumer with the admin privilege can probably execute arbitrary code with root privileges on Cloth OS variations 9.1.0 by 9.1.1d6. It has been fastened in model 9.1.1d7.
“This vulnerability can permit the consumer to execute any present Cloth OS command or can be used to change the Cloth OS itself, together with including their very own subroutines,” Broadcom famous in a bulletin printed on April 17, 2025.
“Regardless that reaching this exploit first requires legitimate entry to a job with admin privileges, this vulnerability has been actively exploited within the discipline.”
There are at the moment no public particulars on how both of the vulnerabilities have been exploited within the wild, the size of the assaults, and who could also be behind them.
Federal Civilian Govt Department (FCEB) companies are really useful to use the required patches for Commvault Internet Server and Broadcom Brocade Cloth OS by Might 19, 2025.
