CISA Issues Warning on Commvault Web Server Flaw Exploited in the Wild

CISA has issued a new security warning about a critical vulnerability affecting the Commvault Web Server, built into one of the industry’s leading data protection platforms.

Assigned CVE-2025-3928, the flaw allows remote, authenticated attackers to create and execute webshells on compromised servers.

This alert comes as security teams worldwide scramble to assess exposure and mitigate risk, following the vulnerability’s addition to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on April 28, 2025.

According to CISA and initial advisories, the vulnerability is “unspecified,” meaning details have not been publicly disclosed, which is likely to prevent further exploitation.

CVE-2025-3928: Unspecified but Dangerous

However, researchers clarify that the flaw enables attackers with valid credentials to gain remote code execution (RCE) capabilities, specifically by uploading and running webshells-malicious scripts that grant attackers control over targeted systems.

While there is no current public confirmation that CVE-2025-3928 has been leveraged in major ransomware campaigns, its ability to enable webshell deployment raises significant alarms.

Webshells are a favorite tool among threat actors for establishing persistence, data exfiltration, lateral movement, and launching follow-on attacks, including ransomware.

CISA has recommended that all organizations using the Commvault Web Server take the following steps immediately:

• Apply Mitigations: Follow instructions from Commvault’s official security advisory to implement available patches or workarounds.
• Review Cloud Guidance: For cloud-based deployments, adhere to CISA’s Binding Operational Directive (BOD) 22-01 requirements, which impose strict timelines for cloud vulnerability management.
• Discontinue If Necessary: If mitigations cannot be applied, CISA advises discontinuing use of affected Commvault Web Server products until patches or safe workarounds become available.

Affected organizations are urged to complete remediation by May 17, 2025- a notably tight deadline that underscores the severity of the threat.

Commvault, known for its enterprise-grade backup and recovery solutions, has quickly responded by releasing a patch and urging its customers to update immediately.

Security analysts warn that, even though exploitation currently requires authentication, many organizations fail to enforce strong access controls, leaving them vulnerable.

“Data protection infrastructure is an attractive target for cybercriminals. If compromised, it can act as a launchpad for broader compromise and extortion campaigns,” warns a notable cybersecurity research lab spokesperson.

While the full scale of exploitation is unclear, organizations are reminded that early mitigation is critical.

With ransomware operators increasingly targeting backup solutions, even a single lapse can have devastating, organization-wide consequences.

Users must consult Commvault’s official advisory and CISA’s guidance on the newly added CVE-2025-3928 for more information.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post CISA Issues Warning on Commvault Web Server Flaw Exploited in the Wild appeared first on Cyber Security News.