CVE-2025-3928

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-3928
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928 Third Party Advisory US Government Resource
https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic Third Party Advisory US Government Resource
https://www.commvault.com/blogs/customer-security-update Vendor Advisory
https://www.commvault.com/blogs/notice-security-advisory-update Vendor Advisory
https://www.commvault.com/blogs/security-advisory-march-7-2025 Vendor Advisory
https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/ Third Party Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*
cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*
cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*
cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*
OR cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

28 May 2025, 20:51

Type Values Removed Values Added
Summary
  • (es) Commvault Web Server presenta una vulnerabilidad no especificada que puede ser explotada por un atacante remoto autenticado. Según el aviso de Commvault: «Los servidores web pueden verse comprometidos mediante la creación y ejecución de webshells por parte de actores maliciosos». Corregido en las versiones 11.36.46, 11.32.89, 11.28.141 y 11.20.217 para plataformas Windows y Linux. CISA ha añadido esta vulnerabilidad a su Cátalogo de Vulnerabilidades Explotadas Conocidas (KEV, Known Exploited Vulnerabilities) el 28/04/2025.
Summary (en) Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. (en) Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
CWE NVD-CWE-noinfo
First Time Linux
Commvault commvault
Microsoft
Microsoft windows
Linux linux Kernel
Commvault
CPE cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928 - Third Party Advisory, US Government Resource
  • () https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic - Third Party Advisory, US Government Resource
  • () https://www.commvault.com/blogs/customer-security-update - Vendor Advisory
  • () https://www.commvault.com/blogs/notice-security-advisory-update - Vendor Advisory
  • () https://www.commvault.com/blogs/security-advisory-march-7-2025 - Vendor Advisory
  • () https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/ - Third Party Advisory
References () https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html - () https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html - Vendor Advisory

25 Apr 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-25 16:15

Updated : 2025-05-28 20:51

NVD link : CVE-2025-3928

Mitre link : CVE-2025-3928

CVE.ORG link : CVE-2025-3928

JSON object : View

Products Affected

microsoft

  • windows

commvault

  • commvault

linux

  • linux_kernel
CWE
NVD-CWE-noinfo