.webp?w=1600&resize=1600,900&ssl=1 "Commvault Web Server Flaw")
The Cybersecurity and Infrastructure Security Agency (CISA) has added the Commvault Web Server vulnerability (CVE-2025-3928) to its Known Exploited Vulnerabilities (KEV) catalog, indicating that threat actors are actively exploiting this security flaw in the wild.
The agency announced this addition on April 28, 2025, giving federal agencies until May 17, 2025, to remediate the vulnerability in accordance with Binding Operational Directive (BOD) 22-01.
Commvault Web Server Unspecified Vulnerability- CVE-2025-3928
CVE-2025-3928 is classified as an “unspecified vulnerability” affecting Commvault Web Server that enables remote, authenticated attackers to create and execute webshells on compromised systems.
.png
)
According to the National Vulnerability Database, this high-severity flaw carries a CVSS base score of 8.8, reflecting its significant potential impact.
“Web Servers can be compromised through bad actors creating and executing webshells,” states the Commvault advisory referenced by CISA.
This type of attack allows malicious actors to maintain persistent access to compromised systems while executing arbitrary commands with the privileges of the web server.
The vulnerability has been assigned an Exploit Prediction Scoring System (EPSS) score of 0.10%, indicating the probability of active exploitation in the next 30 days.
Despite this relatively low percentage, CISA’s addition of the vulnerability to the KEV catalog confirms that exploitation is already occurring.
| Risk Factors | Details |
| Affected Products | Commvault Web Server (Windows & Linux) up to:11.20.21611.28.14011.32.8811.36.45 |
| Impact | – Complete server compromise- Execution of webshells- Confidential data exposure- Service disruption- Integrity modification |
| Exploit Prerequisites | Remote, authenticated attacker with low privileges |
| CVSS 3.1 Score | 8.8 (High) |
Affected Systems and Patched Versions
The security flaw affects Commvault Web Server deployments across both Windows and Linux platforms. Commvault has addressed this vulnerability in the following versions:
- 11.36.46
- 11.32.89
- 11.28.141
- 11.20.217
Organizations running earlier versions of the software remain vulnerable to potential attacks.
CISA recommends that organizations take one of the following actions by the May 17 deadline:
- Apply mitigations according to vendor instructions
- Follow applicable BOD 22-01 guidance for cloud services
- Discontinue use of the product if mitigations are unavailable
While BOD 22-01 requirements formally apply only to Federal Civilian Executive Branch (FCEB) agencies, CISA strongly encourages all organizations to prioritize the timely remediation of catalog vulnerabilities as part of their security practices.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
