The US Cybersecurity and Infrastructure Security Agency (CISA) added two high-strength security flaws on Monday.
The vulnerabilities in question are listed below –
CVE-2025-1976 (CVSS score: 8.6) – Code injection flaw affecting Broadcom Brocade Fabric OS that allows local users with administrative privileges to execute arbitrary code with full root privileges CVE-2025-3928 (CVSS score: 8.7) – Except for attacker attacker, edectified attacker attacker
“To exploit this vulnerability, bad actors will need to authenticate their user credentials within the Commvault software environment,” Commvault said in an advisory released in February 2025.
“Unauthenticated access will not be exploited. For software customers, this means that your environment will:
The vulnerability affects the following Windows and Linux versions –
11.36.0-11.36.45 (fixed to 11.36.46) 11.32.0-11.32.88 (fixed to 11.32.89) 11.28.0-11.28.141) 11.20.0-11.20.216 (fixed to 11.20.217)
Regarding CVE-2025-1976, Broadcom said that because of the defective IP address verification, local users with Admin privileges may be able to execute arbitrary code with root privileges on Fabric OS versions 9.1.0 to 9.1.1D6. Fixed in version 9.1.1D7.
“The vulnerability allows users to execute existing fabric OS commands or use them to modify the fabric OS itself, such as by adding their own subroutines,” said a breaking news release published on April 17, 2025.
“To achieve this exploit, effective access to roles with administrative rights is required first, but this vulnerability is being actively exploited in this area.”
Currently there is no public details about how any of the vulnerabilities are being exploited in the wild, the scale of the attacks, and who is behind them.
A Federal Private Enforcement Division (FCEB) agency is recommended to apply the required patches to the Commvault web server by May 17, 2025 and to apply the Broadcom Brocade Fabric OS by May 19, respectively.
Source link
