🔴 CVE-2025-3928

Commvault Web Server contains an unspecified vulnerability that allows remote authenticated attackers to compromise web servers by creating and executing web shells. This vulnerability is actively exploited in the wild and is listed in the CISA KEV catalog.

← Back to Overview
HIGH_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Persistence
ATT&CK Tactic
T1505 — Server Software Component
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-04-25

Added to CISA KEV: 2025-04-28 3 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-3928 is a high-severity security vulnerability affecting the Commvault Web Server component [4]. It gained significant attention in early 2025 due to its use as a zero-day exploit in the wild [1].

Active Exploitation and Threat Actors
  • Active Exploitation: The vulnerability was actively exploited in the wild as a zero-day [1].
  • Threat Actor Usage: Commvault confirmed that an unknown nation-state threat actor exploited this vulnerability to gain unauthorized access to the company's own Microsoft Azure environment [1].
  • CISA Status: Due to evidence of active exploitation, the vulnerability was added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog on April 28, 2025 [2].
Attack Method and Requirements
  • Access Vector: The vulnerability is exploitable remotely [2].
  • Authentication Requirement: Successful exploitation requires the attacker to have valid login credentials for the Commvault Web Server [3].
  • Exploitation Method: Once authenticated, an attacker can exploit the weakness to upload and execute malicious webshell files on the server [3].
Impact and Nature of Attacks
  • Impact: Successful exploitation allows for unauthorized access to the server environment. In the case of the breach at Commvault, the exploit was used to access their Azure environment, though the company reported no data loss [1]. Other reports indicate the vulnerability could also expose sensitive information, such as OAuth credentials [5].
  • Ransomware/Targeted Attacks: While it was used by a nation-state actor in a targeted breach, there is no widespread evidence linking it to common ransomware campaigns in the initial reports [1].
Affected Versions and Mitigation
  • Affected Products: The vulnerability affects various versions of Commvault software running on both Windows and Linux platforms [2].
  • Patch Status: Commvault has released security updates to address the vulnerability [4]. Customers are strongly urged to apply the latest patches and monitor their systems for suspicious sign-in activity or the presence of unauthorized webshells [1].

Sources

  1. Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure ...

    Commvault discloses that a nation-state hacker exploited CVE-2025-3928, a vulnerability in its web server, to access its Microsoft Azure environment. The company says there was no data loss and urges customers to apply patches and monitor sign-in activity. ... Commvault has revealed that an unknown…

  2. NVD - CVE-2025-3928

    CVE-2025-3928 is an unspecified vulnerability that can be exploited by a remote, authenticated attacker to compromise Commvault Web Server. The vulnerability affects various versions of Commvault software on Windows and Linux platforms and was added to CISA's Known Exploited Vulnerabilities Catalog…

  3. CVE-2025-3928 - Commvault Web Server Webshell Vulnerability Explained ...

    CVE-2025-3928 is an *unspecified vulnerability* in the Commvault Web Server component. According to the official Commvault advisory, attackers with valid login credentials can exploit a weakness in the server to upload and execute malicious webshell files.

  4. Active Exploitation of High-Severity Vulnerability in Commvault ...

    Commvault has released security updates to address a high-severity vulnerability (CVE-2025-3928) in its products.

  5. Commvault Metallic Vulnerability (CVE-2025-3928) Exposed OAuth ...

    A zero-day vulnerability in Commvault Metallic (CVE-2025-3928) exposed OAuth credentials. Learn how the breach happened and what IT teams ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed