CVE-2025-3928: Commvault Web Server unspecified vulnerability

8.8 CVSS

Description

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms.

Known Exploited

🚨 Marked as known exploited on April 28th, 2025 (about 1 month ago).

Classification

CVE ID: CVE-2025-3928

CVSS Base Severity: HIGH

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-noinfo Not enough information

Affected Products

Vendor: Commvault

Product: Web Server

Exploit Prediction Scoring System (EPSS)

EPSS Score: 15.08% (probability of being exploited)

EPSS Percentile: 94.21% (scored less or equal to compared to others)

EPSS Date: 2025-05-24 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3928
https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html

Timeline

2025-04-25 16:40:17 UTC
CVE

Commvault Web Server unspecified vulnerability
2025-04-28 17:15:19 UTC
CISA KEV

Commvault Web Server Unspecified Vulnerability
2025-04-28 17:16:19 UTC
🚨 Marked as Known Exploited
2025-05-01 08:45:35 UTC
TheHackerNews

Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach