The U.S. Cybersecurity & Infrastructure Safety Company (CISA) is warning of Broadcom Brocade Cloth OS, Commvault internet servers, and Qualitia Energetic! Mail shoppers vulnerabilities which can be actively exploited in assaults.
The failings have been added yesterday to CISA’s ‘Recognized Exploited Vulnerabilities’ (KEV) catalog, with the Broadcom Brocade Cloth OS and Commvault flaws not beforehand tagged as exploited.
Broadcom Brocade Cloth OS is a specialised working system that runs on the corporate’s Brocade Fibre Channel switches to handle and optimize storage space networks (SAN).
Earlier this month, Broadcom disclosed an arbitrary code execution flaw impacting Cloth OS variations 9.1.0 by way of 9.1.1d6, tracked beneath CVE-2025-1976.
Whereas the flaw requires admin privileges to use, Broadcom says it has been actively exploited in assaults.
“This vulnerability can enable the person to execute any present Cloth OS command or will also be used to switch the Cloth OS itself, together with including their very own subroutines,” reads Broadcom’s bulletin.
“Although reaching this exploit first requires legitimate entry to a job with admin privileges, this vulnerability has been actively exploited within the area.”
CVE-2025-1976 was addressed with the discharge of Brocade Cloth OS 9.1.1d7. The newest department, 9.2.0, just isn’t impacted by this vulnerability.
The Commvault flaw, tracked beneath CVE-2025-3928, is an unspecified security downside that authenticated attackers can exploit remotely to plant webshells heading in the right direction servers.
Commvault internet servers are user-facing and API elements of a backup system utilized by enterprises to guard and restore vital knowledge.
Regardless of the necessities for authentication and publicity of the surroundings to the web, the flaw is beneath energetic exploitation within the wild.
CVE-2025-3928 was mounted in variations 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Home windows and Linux platforms.
The third flaw CISA added to KEV is CVE-2025-42599, a stack-based buffer overflow downside impacting all variations of Energetic! as much as and together with ‘BuildInfo: 6.60.05008561’ on all OS platforms.
Energetic! mail is a web-based e-mail consumer broadly utilized by authorities, monetary, and IT service organizations in Japan.
The flaw was flagged as actively exploited final week by Japan’s CERT, whereas SMB suppliers and ISPs within the nation additionally introduced service outages attributable to associated exploitation exercise.
Qualitia addressed the issue with the discharge of Energetic! Mail 6 BuildInfo: 6.60.06008562.
CISA has given impacted organizations till Might 17, 2025, to use fixes or accessible mitigations for CVE-2025-3928 and Might 19, 2025, for the opposite two flaws.
