๐Ÿ” CVE Alert

CVE-2025-3928

HIGH 8.8 โš ๏ธ CISA KEV

Commvault Web Server unspecified vulnerability

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

Vendor commvault
Product web server
Published Apr 25, 2025
Last Updated Feb 26, 2026
โš ๏ธ Actively Exploited โ€” Act Now

Get instant alerts for commvault web server

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2025-3928.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Commvault / Web Server
11.36.0 < 11.36.46 11.32.0 < 11.32.89 11.28.0 < 11.28.141 11.20.0 < 11.20.217

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
documentation.commvault.com: https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928 commvault.com: https://www.commvault.com/blogs/security-advisory-march-7-2025 commvault.com: https://www.commvault.com/blogs/notice-security-advisory-update cisa.gov: https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic commvault.com: https://www.commvault.com/blogs/customer-security-update cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3928 bleepingcomputer.com: https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/