Critical Webserver Vulnerability
Summary
CVE.Org link: CVE-2025-3928 Save as PDF A vulnerability has been identified and remediated in all supported versions of the Commvault software. Webservers can be compromised through bad actors creating and executing webshells. Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment. Unauthenticated access is not exploitable. For software customers, this means your environment must be: (i) accessible via the internet, (ii) compromised through an unrelated avenue, and (iii) accessed leveraging legitimate user credentials.
CISA Known Exploited Vulnerability
- Listed:
- Apr 28, 2025 · federal remediation due May 19, 2025
- Required action:
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Ransomware use:
- Unknown
KEV is a prioritization signal from CISA — remediation detail still comes from the vendor advisory.
- Product Platforms Affected Versions Resolved Version Status Commvault Linux, Windows 11.36.0 - 11.36.45 11.36.46 Resolved Commvault Linux, Windows 11.32.0 - 11.32.88 11.32.89 Resolved Commvault Linux, Windows 11.28.0 - 11.28.140 11.28.141 Resolved Commvault Linux, Windows 11.20.0 - 11.20.216 11.20.2
- 11.36.0
- 11.36.45
- 11.36.46
- 11.32.0
- 11.32.88
- 11.32.89
- 11.28.0
- 11.28.140
- 11.28.141
- 11.20.0
- 11.20.216
- 11.20.217
- Affected Versions
- 11.36.0 - 11.36.45
- 11.32.0 - 11.32.88
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
- 11.36.46
- 11.32.89
- 11.28.141
- 11.20.217
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Mitigation checklist
- Install the listed maintenance release (or a more recent one) for your feature release: 11.36.46, 11.32.89, 11.28.141, 11.20.217.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.