CVE-2025-1976 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-04-24

Added to CISA KEV: 2025-04-28 4 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update Brocade Fabric OS to versions newer than 9.1.1d6
Review and audit all admin-level access to SAN infrastructure
Implement network segmentation to ensure SAN management interfaces are not accessible from untrusted networks
Monitor for unusual privilege escalation attempts and code execution on SAN switches
PATCH PRIORITY: HIGH - Due to CISA KEV listing and critical infrastructure impact

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-1976 is a critical code injection vulnerability affecting Broadcom's Brocade Fabric OS, which is widely utilized in data center networking and storage infrastructure ^[1] ^[5].

Key Details

Feature	Description
Vulnerability Type	Code Injection (CWE-94) due to improper input validation ^[3] ^[5]
CVSS Score	8.6 (High) ^[1]
Exploitation Status	Confirmed active exploitation in the wild; included in CISA's Known Exploited Vulnerabilities (KEV) Catalog ^[1] ^[4]
Impact	Allows a local user with administrative privileges to execute arbitrary code with full root privileges ^[1] ^[6]

Exploitation and Requirements

Method: The vulnerability stems from a flaw in IP address validation ^[2].
Requirements: Exploitation is local and requires the attacker to already possess administrative privileges on the affected device ^[1]. It is not a remote code execution (RCE) vulnerability for unauthenticated users.

Threat Landscape

Active Exploitation: The vulnerability has been confirmed as actively exploited in the wild, leading to its inclusion in CISA’s KEV catalog in April 2025 ^[2] ^[4].
Targeted Attacks/Ransomware: While it is confirmed to be exploited, specific details regarding its use in widespread ransomware campaigns versus targeted, high-value espionage or disruption attacks have not been publicly detailed in major security reports.

Affected Versions and Mitigation

Affected Versions: Brocade Fabric OS versions 9.1.0 through 9.1.1d6 ^[1].
Status: Broadcom released security advisories (e.g., BSA-2025-2930) to address the issue ^[3]. Organizations using affected versions were advised to apply vendor-provided patches or mitigations immediately ^[4].

Sources

CVE-2025-1976 Detail - NVD
A local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6. ... A local user with admin privilege can execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6. The vulnerability ha…
CISA Adds Actively Exploited Broadcom and Commvault Flaws to ...
As for CVE-2025-1976, Broadcom said that due to a flaw in IP Address validation, a local user with the admin privilege can potentially execute ...
BSA-2025-2930 - Broadcom support portal
Affected CVE. CVE-2025-1976. Brocade Security Advisory ID. BSA-2025-2930. Component. Input Validation. CWE. CWE-94: Improper Control of ...
CVE-2025-1976 — Broadcom Brocade Fabric OS Code Injection Vulnerability ...
Confirmed exploited in the wild. Added 2025-04-28. Federal remediation due 2025-05-19. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA warns about actively exploited Broadcom, Commvault ...
FInally, CVE-2025-1976 is a code injection vulnerability in the Fabric OS, running on Broadcom Brocade data center networking and storage gear.
Critical Vulnerability in Brocade Fabric OS: CVE-2025-1976
CVE-2025-1976 is a critical vulnerability in Brocade Fabric OS that allows local users with admin privileges to execute arbitrary code with root ...

🟢 CVE-2025-1976