The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added two high-severity security flaws impacting Broadcom Brocade Material OS and Commvault Internet Server to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation within the wild.
The vulnerabilities in query are listed beneath –
- CVE-2025-1976 (CVSS rating: 8.6) – A code injection flaw affecting Broadcom Brocade Material OS that enables an area person with administrative privileges to execute arbitrary code with full root privileges
- CVE-2025-3928 (CVSS rating: 8.7) – An unspecified flaw within the Commvault Internet Server that enables a distant, authenticated attacker to create and execute internet shells
“Exploiting this vulnerability requires a nasty actor to have authenticated person credentials throughout the Commvault Software program surroundings,” Commvault stated in an advisory launched in February 2025.
“Unauthenticated entry shouldn’t be exploitable. For software program clients, this implies your surroundings have to be: (i) accessible through the web, (ii) compromised by means of an unrelated avenue, and (iii) accessed leveraging respectable person credentials.”
The vulnerability impacts the next Home windows and Linux variations –
- 11.36.0 – 11.36.45 (Fastened in 11.36.46)
- 11.32.0 – 11.32.88 (Fastened in 11.32.89)
- 11.28.0 – 11.28.140 (Fastened in 11.28.141)
- 11.20.0 – 11.20.216 (Fastened in 11.20.217)
As for CVE-2025-1976, Broadcom stated that attributable to a flaw in IP Handle validation, an area person with the admin privilege can doubtlessly execute arbitrary code with root privileges on Material OS variations 9.1.0 by means of 9.1.1d6. It has been fastened in model 9.1.1d7.
“This vulnerability can enable the person to execute any present Material OS command or may also be used to switch the Material OS itself, together with including their very own subroutines,” Broadcom famous in a bulletin printed on April 17, 2025.
“Despite the fact that attaining this exploit first requires legitimate entry to a task with admin privileges, this vulnerability has been actively exploited within the subject.”
There are presently no public particulars on how both of the vulnerabilities have been exploited within the wild, the dimensions of the assaults, and who could also be behind them.
Federal Civilian Government Department (FCEB) businesses are really helpful to use the mandatory patches for the Commvault Internet Server by Could 17, 2025, and Broadcom Brocade Material OS by Could 19, respectively.
