The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added two high-severity safety flaws impacting Broadcom Brocade Cloth OS and Commvault Net Server to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation within the wild.
The vulnerabilities in query are listed under –
- CVE-2025-1976 (CVSS rating: 8.6) – A code injection flaw affecting Broadcom Brocade Cloth OS that permits a neighborhood consumer with administrative privileges to execute arbitrary code with full root privileges
- CVE-2025-3928 (CVSS rating: 8.7) – An unspecified flaw within the Commvault Net Server that permits a distant, authenticated attacker to create and execute net shells
“Exploiting this vulnerability requires a nasty actor to have authenticated consumer credentials inside the Commvault Software program setting,” Commvault said in an advisory launched in February 2025.
“Unauthenticated entry is just not exploitable. For software program clients, this implies your setting should be: (i) accessible by way of the web, (ii) compromised via an unrelated avenue, and (iii) accessed leveraging professional consumer credentials.”
The vulnerability impacts the next Home windows and Linux variations –
- 11.36.0 – 11.36.45 (Fastened in 11.36.46)
- 11.32.0 – 11.32.88 (Fastened in 11.32.89)
- 11.28.0 – 11.28.140 (Fastened in 11.28.141)
- 11.20.0 – 11.20.216 (Fastened in 11.20.217)
As for CVE-2025-1976, Broadcom mentioned that resulting from a flaw in IP Handle validation, a neighborhood consumer with the admin privilege can doubtlessly execute arbitrary code with root privileges on Cloth OS variations 9.1.0 via 9.1.1d6. It has been mounted in model 9.1.1d7.
“This vulnerability can permit the consumer to execute any current Cloth OS command or can be used to switch the Cloth OS itself, together with including their very own subroutines,” Broadcom noted in a bulletin printed on April 17, 2025.
“Regardless that reaching this exploit first requires legitimate entry to a job with admin privileges, this vulnerability has been actively exploited within the area.”
There are presently no public particulars on how both of the vulnerabilities have been exploited within the wild, the dimensions of the assaults, and who could also be behind them.
Federal Civilian Govt Department (FCEB) businesses are really useful to use the required patches for the Commvault Net Server by Might 17, 2025, and Broadcom Brocade Cloth OS by Might 19, respectively.
Source link