The CISA agency reported active exploitation of vulnerabilities CVE-2025-1976 in Broadcom Brocade Fabric OS and CVE-2025-3928 in Commvault Web Server, which allow executing malicious code with root privileges or running webshells in an environment with authenticated access.
The CISA agency has updated its Known Exploited Vulnerabilities (KEV) catalog to include two new serious vulnerabilities in Broadcom Brocade Fabric OS and Commvault Web Server. Both vulnerabilities are already being actively exploited by hackers in real-world attacks.
The first security issue, CVE-2025-1976 (CVSS: 8.6), allows a local administrator of Broadcom Fabric OS devices (versions 9.1.0–9.1.1d6) to execute arbitrary code with root privileges. The second, CVE-2025-3928 (CVSS: 8.7), allows authenticated remote users to deploy and run webshells on Commvault Web Server. While both vulnerabilities require some level of access (authentication or administrative privileges) to exploit, the evidence of active attacks suggests a high level of risk. Broadcom has released an update to version 9.1.1d7, and Commvault is offering patches based on the update branch, the latest being 11.36.46.
Broadcom and Commvault products are widely used by large companies and government agencies. Due to the complexity of the architecture and multiple levels of access, even partial compromise of these systems could give attackers control over critical services, posing a threat of data leakage or manipulation.
Although these vulnerabilities are not “zero-click” and require some access to the environment, the confirmed active exploitation makes them particularly dangerous. CISA has set deadlines for fixing the vulnerabilities: May 17 for systems with Commvault, and May 19 for Broadcom devices, especially for US federal agencies.
75 
99 
73 