Home

Description

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

PUBLISHED Reserved 2025-04-24 | Published 2025-04-25 | Updated 2026-02-26 | Assigner cisa-cg




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA Known Exploited Vulnerability

Date added 2025-04-28 | Due date 2025-05-19

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-noinfo Not enough information

Product status

Default status
unaffected

11.36.0 (custom) before 11.36.46
affected

11.36.46
unaffected

11.32.0 (custom) before 11.32.89
affected

11.32.89
unaffected

11.28.0 (custom) before 11.28.141
affected

11.28.141
unaffected

11.20.0 (custom) before 11.20.217
affected

11.20.217
unaffected

References

www.cisa.gov/...nerabilities-catalog?field_cve=CVE-2025-3928 government-resource

www.bleepingcomputer.com/...dnt-impact-customer-backup-data/

documentation.commvault.com/...yadvisories/CV_2025_03_1.html (url)

www.cisa.gov/...es-catalog?search_api_fulltext=CVE-2025-3928 (url)

www.commvault.com/blogs/security-advisory-march-7-2025 (url)

www.commvault.com/blogs/notice-security-advisory-update (url)

www.cisa.gov/...g-commvaults-saas-cloud-application-metallic (url)

www.commvault.com/blogs/customer-security-update (url)

cve.org (CVE-2025-3928)

nvd.nist.gov (CVE-2025-3928)

Download JSON