CVE-2025-3928
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
25/04/2025
Last modified:
31/10/2025
Description
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
Impact
Base Score 4.0
8.70
Severity 4.0
HIGH
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:* | 11.20.0 (including) | 11.20.217 (excluding) |
| cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:* | 11.28.0 (including) | 11.28.141 (excluding) |
| cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:* | 11.32.0 (including) | 11.32.89 (excluding) |
| cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:* | 11.36.0 (including) | 11.36.46 (excluding) |
| cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928
- https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic
- https://www.commvault.com/blogs/customer-security-update
- https://www.commvault.com/blogs/notice-security-advisory-update
- https://www.commvault.com/blogs/security-advisory-march-7-2025
- https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3928