CVE-2025-3928

HIGH CISA KEV EPSS 77.5%
Published Apr 25, 20251y ago · Modified Jun 17, 20261w ago
8.7 CVSS 4.0
High
Find Similar
Published Apr 25, 2025 1y ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Apr 28, 2025 1y ago
KEV Due May 19, 2025 407d overdue

Description

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

CISA Known Exploited Overdue 407d
Added
Apr 28, 2025
Due
May 19, 2025

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability
77.5% percentile
Exploit & Patch Status
Actively Exploited (KEV)
No Patch Available

Affected Products 6

VendorProductVersionRange
commvaultcommvault*≥11.20.0  –  <11.20.217
commvaultcommvault*≥11.28.0  –  <11.28.141
commvaultcommvault*≥11.32.0  –  <11.32.89
commvaultcommvault*≥11.36.0  –  <11.36.46
linuxlinux_kernel*any
microsoftwindows*any

References 8

  • documentation.commvault.com https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html
    Vendor Advisory
  • bleepingcomputer.com https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/
    Third Party Advisory
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3928
    US Government Resource
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928
    Third Party AdvisoryUS Government Resource
  • cisa.gov https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic
    Third Party AdvisoryUS Government Resource
  • commvault.com https://www.commvault.com/blogs/customer-security-update
    Vendor Advisory
  • commvault.com https://www.commvault.com/blogs/notice-security-advisory-update
    Vendor Advisory
  • commvault.com https://www.commvault.com/blogs/security-advisory-march-7-2025
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.