CISA officially added a significant security flaw affecting Broadcom’s Brocade Fabric OS to its authoritative Known Exploited Vulnerabilities (KEV) Catalog, underscoring the urgent need for remediation across enterprise and government environments.
The vulnerability, tracked as CVE-2025-1976, is classified as a code injection vulnerability and carries a high CVSS base score of 8.6 due to its potential to allow local attackers with administrative privileges to execute arbitrary code with full root access.
This escalation of privilege could enable a complete compromise of the underlying storage network infrastructure, posing significant risks to data integrity and operational continuity.
CVE-2025-1976 specifically affects Brocade Fabric OS versions 9.1.0 through 9.1.1d6. Although these versions had previously removed direct root access as a security measure, a flaw in the validation of IP addresses within the operating system allows a local user with administrative privileges to bypass intended controls.
By exploiting this vulnerability, the attacker can inject and execute arbitrary code as the root user, thereby gaining unrestricted control over the system.
The vulnerability is categorized under CWE-94, “Improper Control of Generation of Code (‘Code Injection’),” which describes scenarios where software constructs code segments using externally influenced input without proper neutralization of special elements.
This allows attackers to alter the syntax or behavior of the code, leading to unintended execution paths or privilege escalation.
In the context of Brocade Fabric OS, exploitation could permit not only the execution of existing system commands but also the modification of core operating system components, including the insertion of unauthorized subroutines or backdoors.
The technical vector for exploitation is local, requiring authenticated administrative access. However, in environments where administrative credentials are widely distributed or insufficiently protected, the risk of compromise increases substantially.
The vulnerability does not require user interaction or complex attack chains, further amplifying its severity rating.
| Risk Factors | Details |
| Affected Products | Brocade Fabric OS versions 9.1.0 through 9.1.1d6 |
| Impact | Allows a local admin user to execute arbitrary code with full root privileges |
| Exploit Prerequisites | Local access with administrative privileges |
| CVSS 3.1 Score | 8.6 (High) |
CISA’s decision to add CVE-2025-1976 to the KEV Catalog is based on evidence of active exploitation in the wild.
Security advisories and threat intelligence reports have confirmed that attackers are leveraging this flaw to gain root-level access on affected Brocade Fabric OS installations.
While there is currently no public proof-of-concept code available, the presence of exploitation activity elevates the urgency for organizations to respond.
The KEV Catalog, established under Binding Operational Directive (BOD) 22-01, serves as a prioritized list of vulnerabilities that pose significant risk to federal and critical infrastructure networks.
Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate listed vulnerabilities within the specified timeline, which for CVE-2025-1976 is May 19, 2025.
CISA strongly recommends that private sector organizations also prioritize remediation in alignment with this directive, given the potential for lateral movement and broader network compromise.
Broadcom has issued a security advisory and released a patched version of Brocade Fabric OS (version 9.1.1d7) that addresses the code injection vulnerability.
Organizations are advised to upgrade to this version immediately to mitigate the risk of exploitation.
In cases where immediate patching is not feasible, administrators should restrict and audit admin-level access, enforce strict access controls, and monitor for suspicious activity originating from privileged accounts.
Isolating Fabric OS systems from less trusted networks and regularly reviewing system logs for anomalous behavior are also recommended interim measures.
The incident serves as a reminder of the importance of robust access controls, timely patch management, and continuous monitoring in safeguarding mission-critical systems.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
By fusing agentic AI and contextual threat intelligence, SecAI transforms investigation from a bottleneck into…
According to IBM Security annual research, "Cost of a Data Breach Report 2024", an average…
A critical security flaw in NVIDIA's Riva framework, an AI-powered speech and translation service, has…
A critical vulnerability in Apple’s AirPlay protocol, dubbed AirBorne, has exposed over 2.35 billion active…
A critical vulnerability in Google Chrome has recently been discovered that allows malicious actors to…
In response to the concerning rise of "violence-as-a-service" (VaaS) and the exploitation of youth by…