Web Server Vulnerability in Commvault Affects Remote User Security
CVE-2025-3928
Key Information:
- Vendor
Commvault
- Status
- Vendor
- CVE Published:
- 25 April 2025
Badges
What is CVE-2025-3928?
CVE-2025-3928 is a vulnerability found in the Commvault Web Server, which is a component of Commvault's data protection and management software. This software is commonly used by organizations to manage backups, recover data, and ensure secure data storage operations. The vulnerability allows a remote, authenticated attacker to potentially compromise the web server via webshells, posing a significant risk to the security and integrity of an organization’s data and systems. If exploited, this could lead to unauthorized access and control, undermining the trust placed in the software for safeguarding sensitive information.
Technical Details
The vulnerability, described as unspecified, enables attackers to execute malicious webshells on the Commvault Web Server. This exploitation route is particularly alarming because it allows an attacker who has already authenticated to gain elevated access, which could enable them to manipulate web server functionalities or access sensitive data stored within the environment. The affected versions are those prior to the patched versions released, including 11.20.217, 11.28.141, 11.32.89, and 11.36.46, applicable to both Windows and Linux platforms. Organizations are strongly advised to apply necessary updates to mitigate the risk associated with this vulnerability.
Potential impact of CVE-2025-3928
-
Unauthorized Access: The ability for attackers to execute webshells could allow them to gain unauthorized control over the web server, potentially exposing critical data to unauthorized individuals.
-
Data Compromise: Exploitation of the vulnerability can lead to significant data breaches, as attackers may access and exfiltrate sensitive information stored within the backup and data management systems.
-
Operational Disruption: A successful attack could disrupt normal operations of the Commvault system, impacting backup and recovery processes and potentially leading to extended downtimes for organizations relying on these services for data protection.
CISA has reported CVE-2025-3928
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-3928 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Web Server 11.36.0 < 11.36.46
Web Server 11.32.0 < 11.32.89
Web Server 11.28.0 < 11.28.141
News Articles

CISA Warns of Suspected Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs
Commvault app secrets exposed via CVE-2025-3928 in Azure; CISA warns of broader SaaS campaign
1 week ago

Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach
Commvault confirms Azure breach via CVE-2025-3928 zero-day + no data loss + CISA mandates patch by May 19.
Commvault Shares IoCs After Zero-Day Attack Hits Azure Environment
After CVE-2025-3928 was exploited as a zero-day, Commvault shares attack details, IoCs, and best practices to lock down systems.
References
EPSS Score
11% chance of being exploited in the next 30 days.
CVSS V4
Timeline
- 💰
Used in Ransomware
- 📈
Vulnerability started trending
- 📰
First article discovered by GBHackers News
- 👾
Exploit known to exist
- 🦅
CISA Reported
Vulnerability published