vulnerability
Commvault Web Server: CVE-2025-3928: Unrestricted Upload of File with Dangerous Type
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Feb 24, 2025 | Jun 30, 2025 | Aug 13, 2025 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Feb 24, 2025
Added
Jun 30, 2025
Modified
Aug 13, 2025
Description
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
Solution
commvault-web-server-upgrade-latest
References
- CVE-2025-3928
- https://attackerkb.com/topics/CVE-2025-3928
- URL-https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html
- URL-https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-3928
- URL-https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic
- URL-https://www.commvault.com/blogs/customer-security-update
- URL-https://www.commvault.com/blogs/notice-security-advisory-update
- URL-https://www.commvault.com/blogs/security-advisory-march-7-2025
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.