CVE DATABASE / CVE-2025-3928
CVE-2025-3928
Commvault Web Server Unspecified Vulnerability
Confirmed exploited in the wild. Added 2025-04-28.
Federal remediation due 2025-05-19.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Summary
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
CVSS 3.1 breakdown
| Base score | 8.8 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928
- https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic
- https://www.commvault.com/blogs/customer-security-update
- https://www.commvault.com/blogs/notice-security-advisory-update
- https://www.commvault.com/blogs/security-advisory-march-7-2025
- https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3928
Data: NIST NVD + CISA KEV. NVD last modified 2025-10-31. Always verify against the vendor advisory before acting.