CVE-2025-3928

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cisa-cgCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 93%
VendorProductVersion
commvaultcommvault
11.20.0 ≤
𝑥
< 11.20.217
commvaultcommvault
11.28.0 ≤
𝑥
< 11.28.141
commvaultcommvault
11.32.0 ≤
𝑥
< 11.32.89
commvaultcommvault
11.36.0 ≤
𝑥
< 11.36.46
𝑥
= Vulnerable software versions
Vulnerability Media Exposure
References
https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928
https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic
https://www.commvault.com/blogs/customer-security-update
https://www.commvault.com/blogs/notice-security-advisory-update
https://www.commvault.com/blogs/security-advisory-march-7-2025
https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/