CVE-2025-3928

HIGH KEV

Commvault Web Server <11.36.46, <11.32.89, <11.28.141, <11.20.217 -...

Title source: llm

Description

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

References (8)

[Vendor Advisory] https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic

[Vendor Advisory] https://www.commvault.com/blogs/customer-security-update

[Vendor Advisory] https://www.commvault.com/blogs/notice-security-advisory-update

[Vendor Advisory] https://www.commvault.com/blogs/security-advisory-march-7-2025

[Third Party Advisory] https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3928

Scores

CVSS v3 8.8

EPSS 0.1616

EPSS Percentile 94.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2025-04-28

VulnCheck KEV 2025-03-07

ENISA EUVD EUVD-2025-12508

Status published

Products (1)

commvault/commvault 11.20.0 - 11.20.217

Published Apr 25, 2025

KEV Added Apr 28, 2025

Tracked Since Feb 18, 2026