CVE-2025-3928
Published: 25 April 2025
Summary
CVE-2025-3928 is a high-severity an unspecified weakness vulnerability in Commvault Commvault. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
Commvault Web Server contains an unspecified vulnerability that permits remote authenticated attackers to compromise the server by creating and executing webshells. The flaw affects multiple supported versions of the Commvault platform on both Windows and Linux and carries a CVSS 4.0 score of 8.7 reflecting high impact to confidentiality, integrity, and availability.
An attacker who already possesses valid credentials can upload and run arbitrary webshell code on the affected web server, thereby gaining persistent control over the Commvault environment and any data or systems it manages. The vulnerability was added to the CISA Known Exploited Vulnerabilities catalog on 28 April 2025, confirming active exploitation in the wild.
Official Commvault advisories and CISA alerts direct customers to apply the patches released in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217. The EPSS score has remained flat at 0.2863 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12508
Vulnerability details
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217…
more
for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
- CWE(s)
- KEV Date Added
- 28 April 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patches (11.36.46 etc.) that eliminate the webshell creation vector.
Mandates malicious-code protection mechanisms that would block or alert on webshell upload and execution.
Enforces least privilege so an authenticated account cannot perform the file-creation or command-execution actions needed for webshells.