Commvault Web Server vulnerability under active exploitation by Nation-State threat actor

Commvault has addressed a security vulnerability in its web server module that was actively exploited in zero-day attacks by a nation-state threat actor. 

The vulnerability is tracked as CVE-2025-3928 (CVSS score 8.8) and affects the web server module in all Commvault CommServe installations, Web Servers, and Command Center software. The flaw allows authenticated attackers to install webshells on target servers. Commvault web servers function as user-facing and API components of backup systems used by enterprises to protect and restore critical data.

For successful exploitation, the following prerequisites must be met:

• The attacker must have valid authenticated user credentials within the Commvault Software environment, which means the environment must be compromised through another vulnerability or through a compromised user
• The affected environment must be accessible via the internet or accessible via a compromised endpoint in the internal network.

According to Commvault's update on the February attacks, only a small number of customers have been affected by this vulnerability but the investigation into the incident is still ongoing, which means the full impact may not yet be determined.

Commvault has fixed CVE-2025-3928 in the following versions for both Windows and Linux platforms:

• Version 11.36.46
• Version 11.32.89
• Version 11.28.141
• Version 11.20.217

CISA has given organizations until May 17, 2025, to apply fixes or available mitigations for this vulnerability under its BOD 22-01 directive.

As a relevant side note, Commvault recently patched a separate critical vulnerability - an unauthenticated remote code execution flaw in Command Center.