Same KEV update included a Commvault flaw: CISA also added a high severity bugCVSS 8.7/10 affecting Commvault Web Server to its KEV Catalog, recommending patching under the same BOD directive.The flaw, tracked as CVE-2025-3928, is an unspecified vulnerability that can be exploited by a remote, authenticated attacker to execute webshells. All versions before 11.36.46, 11.32.89, 11.28.141, and 11.20.217 are affected and must be upgraded to the latest versions.”Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment,” the company said in an advisory. “Unauthenticated access is not exploitable.” The vulnerability affects and must be resolved on Commvault’s CommServe, Web Servers, and Command Center, while client computers remain unaffected.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3973516/broadcom-backed-san-devices-face-code-injection-attacks-via-a-critical-fabric-os-bug.html
