Cyber Resilience

CVE-2025-3928

HighCISA KEVActive ExploitationEUVD Exploited

Published: 25 April 2025

Published
25 April 2025
Modified
31 October 2025
KEV Added
28 April 2025
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2863 96.6th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3928 is a high-severity an unspecified weakness vulnerability in Commvault Commvault. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

Commvault Web Server contains an unspecified vulnerability that permits remote authenticated attackers to compromise the server by creating and executing webshells. The flaw affects multiple supported versions of the Commvault platform on both Windows and Linux and carries a CVSS 4.0 score of 8.7 reflecting high impact to confidentiality, integrity, and availability.

An attacker who already possesses valid credentials can upload and run arbitrary webshell code on the affected web server, thereby gaining persistent control over the Commvault environment and any data or systems it manages. The vulnerability was added to the CISA Known Exploited Vulnerabilities catalog on 28 April 2025, confirming active exploitation in the wild.

Official Commvault advisories and CISA alerts direct customers to apply the patches released in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217. The EPSS score has remained flat at 0.2863 with no material increase since disclosure.

EU & UK References

Vulnerability details

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217…

more

for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

CWE(s)
KEV Date Added
28 April 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

commvault
commvault
11.20.0 — 11.20.217 · 11.28.0 — 11.28.141 · 11.32.0 — 11.32.89

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches (11.36.46 etc.) that eliminate the webshell creation vector.

preventdetect

Mandates malicious-code protection mechanisms that would block or alert on webshell upload and execution.

prevent

Enforces least privilege so an authenticated account cannot perform the file-creation or command-execution actions needed for webshells.

References