Do Son 
The United States Cybersecurity and Infrastructure Security Agency (CISA) has added two new critical vulnerabilities affecting Broadcom Brocade Fabric OS storage infrastructure and Commvault server software to its catalog of actively exploited flaws. According to the agency, both vulnerabilities are already being weaponized in real-world attacks.
The first vulnerability, identified as CVE-2025-1976, affects Broadcom’s Brocade Fabric OS—a platform widely used in data centers for managing storage area networks. Assigned a high severity score of 8.6 on the CVSS scale, the flaw allows a local administrator to execute arbitrary code with root privileges.
The root cause lies in insufficient validation of IP addresses, enabling an attacker to issue system-level commands or inject malicious code directly into the Fabric OS operating system. The vulnerability impacts versions 9.1.0 through 9.1.1d6 and was addressed in the 9.1.1d7 update released on April 17, 2025.
The second vulnerability concerns Commvault servers—a solution extensively deployed for backup and data recovery. CVE-2025-3928, rated 8.7 on the CVSS scale, allows a remote, authenticated user to create and execute web shells on the affected server. While exploitation requires valid login credentials, the risk is significant if an attacker has already gained system access through another vector or if the infrastructure is exposed to the internet. The issue affects both Linux and Windows installations across the following versions:
- 11.36.0 — 11.36.45 (patched in 11.36.46);
- 11.32.0 — 11.32.88 (patched in 11.32.89);
- 11.28.0 — 11.28.140 (patched in 11.28.141);
- 11.20.0 — 11.20.216 (patched in 11.20.217).
Commvault acknowledged that for a successful attack, the service must be externally accessible, already compromised through another channel, and the attacker must possess valid credentials.
Although the exploitation of both vulnerabilities has been confirmed, neither CISA nor the vendors have disclosed details regarding the scope, methods of exploitation, or the threat actors responsible for the incidents.
Federal agencies are mandated to apply the Commvault patches by May 17, 2025, and the Broadcom Brocade Fabric OS updates by May 19, 2025. This directive aims to prevent further escalation of attacks on critical infrastructure, particularly amid increasing pressure on data centers and cloud-based solutions.
These vulnerabilities starkly illustrate the peril posed even by attack vectors requiring initial access—particularly when administrative privileges are at stake. Breaches of trust chains within corporate systems remain among the most dangerous facets of modern cyberattacks, offering adversaries the means to stealthily seize control over key elements of IT infrastructure.
