Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-3928

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

Published

2025-04-25T16:15:27.817

Last Modified

2025-10-31T21:59:08.943

Status

Analyzed

Source

9119a7d8-5eab-497f-8521-727c672e3725

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	commvault	commvault	< 11.20.217	Yes
Application	commvault	commvault	< 11.28.141	Yes
Application	commvault	commvault	< 11.32.89	Yes
Application	commvault	commvault	< 11.36.46	Yes
Operating System	linux	linux_kernel	-	No
Operating System	microsoft	windows	-	No

References

https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928 Third Party Advisory, US Government Resource (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic Third Party Advisory, US Government Resource (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.commvault.com/blogs/customer-security-update Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.commvault.com/blogs/notice-security-advisory-update Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.commvault.com/blogs/security-advisory-march-7-2025 Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3928 US Government Resource (134c704f-9b21-4f2e-91b3-4a467353bcc0)