Broadcom Brocade Fabric SAN vulnerability actively exploited
Take action: If you are running Broadcom Brocade Fabric OS systems, start a quick patch cycle. Isolation won't work here because the exploit relies on trusted users because it does require access with admin privileges. Yet it's already exploited, so attackers have found a way to the admin user. Your only bet is to patch your Broadcom systems.
Learn More
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning about actively exploited vulnerability in Broadcom's Brocade Fabric OS.
The flaw is tracked as CVE-2025-1976 (CVSS score 8.6), and allows attackers to run arbitrary code on affected environments with full root-level privileges. This vulnerability is caused by improper input validation in IP address handling and allows authenticated users with admin privileges to execute arbitrary code with full root-level access, alter firmware and security mechanisms, install persistent malware and modify the Fabric OS itself by injecting custom subroutines.
While the exploit requires initial access to an admin-level account, Broadcom has confirmed the vulnerability is already being actively exploited in real-world attacks.
Affected versions include Brocade Fabric OS versions 9.1.0 through 9.1.1d6. Broadcom has issued a fix through the Brocade FOS 9.1.1d7 update. Versions 9.2.0 and later, Brocade ASCG, and Brocade SANnav products are not impacted.
The agency has recommended that Federal Civilian Executive Branch (FCEB) agencies promptly patch this vulnerability as per the BOD 22-01 directive.
