8.8

CVE-2025-3928

Warnung
Medienbericht

Commvault Web Server unspecified vulnerability

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CommvaultCommvault Version >= 11.20.0 < 11.20.217
   LinuxLinux Kernel Version-
   MicrosoftWindows Version-
CommvaultCommvault Version >= 11.28.0 < 11.28.141
   LinuxLinux Kernel Version-
   MicrosoftWindows Version-
CommvaultCommvault Version >= 11.32.0 < 11.32.89
   LinuxLinux Kernel Version-
   MicrosoftWindows Version-
CommvaultCommvault Version >= 11.36.0 < 11.36.46
   LinuxLinux Kernel Version-
   MicrosoftWindows Version-

28.04.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Commvault Web Server Unspecified Vulnerability

Schwachstelle

Commvault Web Server contains an unspecified vulnerability that allows a remote, authenticated attacker to create and execute webshells.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.87% 0.766
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9119a7d8-5eab-497f-8521-727c672e3725 8.7 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
9119a7d8-5eab-497f-8521-727c672e3725 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
09.08.2025 11:36
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
09.08.2025 11:36
https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928
Third Party Advisory
US Government Resource
https://www.commvault.com/blogs/notice-security-advisory-update
Vendor Advisory
https://www.commvault.com/blogs/security-advisory-march-7-2025
Vendor Advisory
https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/
Third Party Advisory
https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic
Third Party Advisory
US Government Resource
https://www.commvault.com/blogs/customer-security-update
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3928
US Government Resource