← Back to CVEs
CVE-2025-3928
HIGHCISA KEV8.8
Description
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
CVE Details
CVSS v3.1 Score8.8
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published4/25/2025
Last Modified10/31/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorCommvault
ProductWeb Server
Vulnerability NameCommvault Web Server Unspecified Vulnerability
KEV Date Added2025-04-28
Remediation Due Date2025-05-19
Ransomware UseUnknown
Affected Products
commvault:commvaultlinux:linux_kernelmicrosoft:windows
References
https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html(9119a7d8-5eab-497f-8521-727c672e3725)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928(9119a7d8-5eab-497f-8521-727c672e3725)
https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic(9119a7d8-5eab-497f-8521-727c672e3725)
https://www.commvault.com/blogs/customer-security-update(9119a7d8-5eab-497f-8521-727c672e3725)
https://www.commvault.com/blogs/notice-security-advisory-update(9119a7d8-5eab-497f-8521-727c672e3725)
https://www.commvault.com/blogs/security-advisory-march-7-2025(9119a7d8-5eab-497f-8521-727c672e3725)
https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3928(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.