Unrated severityCISA KEVNVD Advisory· Published Apr 25, 2025· Updated Feb 26, 2026

Commvault Web Server unspecified vulnerability

CVE-2025-3928

Description

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

Affected products

Commvault/Web Serverv5
Range: 11.36.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.commvault.com/securityadvisories/CV_2025_03_1.htmlmitre
www.cisa.gov/known-exploited-vulnerabilities-catalogmitre
www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallicmitre
www.commvault.com/blogs/customer-security-updatemitre
www.commvault.com/blogs/notice-security-advisory-updatemitre
www.commvault.com/blogs/security-advisory-march-7-2025mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.013
exploit	0.000
kev	0.120
patch	0.000
ransomware	0.000