The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical security flaw in the Commvault Web Server, tracked as CVE-2025-3928.
This vulnerability, which has already been exploited in the wild, seriously threatens organizations relying on Commvault’s widely used data protection and backup solutions.
CVE-2025-3928: Exploitation and Impact
The flaw allows remote, authenticated attackers to create and execute webshells on affected Commvault Web Servers, potentially leading to full system compromise.
Attackers do not need administrative privileges- any authenticated user with access to the exposed environment could exploit the vulnerability.
This could result in unauthorized access, data theft, and the deployment of additional malicious payloads.
While there is no current evidence linking this vulnerability to active ransomware campaigns, the use of webshells is a common tactic among ransomware operators, raising concerns about future exploitation.
Scope and Affected Versions
The vulnerability affects both Windows and Linux installations of the Commvault Web Server in the following versions:
- 11.36.0 – 11.36.45 (fixed in 11.36.46)
- 11.32.0 – 11.32.88 (fixed in 11.32.89)
- 11.28.0 – 11.28.140 (fixed in 11.28.141)
- 11.20.0 – 11.20.216 (fixed in 11.20.217)
Commvault has released patches for all supported versions, and CISA has set a remediation deadline of May 17, 2025, for federal agencies and strongly encourages private sector organizations to act immediately.
CISA’s Recommendations
- Apply Commvault’s security patches or mitigation instructions as soon as possible.
- Follow guidance under Binding Operational Directive (BOD) 22-01 to ensure cloud service security protocols are current.
- If patches are unavailable, discontinue use of vulnerable servers until a fix is in place.
- Audit system access, monitor for indicators of compromise, and review system logs for suspicious activity.
Risk Factor Table: CVE-2025-3928
| Risk Factor | Details |
|---|---|
| CVE Identifier | CVE-2025-3928 |
| CVSS Score | 8.7–8.8 (High) |
| Attack Vector | Remote, authenticated access (no admin rights required) |
| Affected Platforms | Windows, Linux (Commvault Web Server) |
| Affected Versions | 11.36.0–11.36.45, 11.32.0–11.32.88, 11.28.0–11.28.140, 11.20.0–11.20.216 |
| Fixed Versions | 11.36.46, 11.32.89, 11.28.141, 11.20.217 |
| Exploitation Status | Actively exploited in the wild |
| Potential Impact | Full system compromise, data theft, webshell deployment, further malware installation |
| Patch Availability | Yes (from Commvault) |
| Remediation Deadline | May 17, 2025 (for federal agencies) |
Security analysts emphasize that attackers move quickly to exploit newly disclosed vulnerabilities.
Organizations are urged to prioritize patching, monitor for suspicious activity, and ensure all Commvault environments are secured without delay.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(2)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This vulnerability, which has already been exploited in the wild, seriously threatens organizations relying on Commvault’s widely used data protection and backup solutions.){kind=link}