A high-severity Commvault Web Server vulnerability, CVE-2025-3928, with a CVSS score of 8.7, has been disclosed. To mitigate your risk, continue reviewing this Cybersecurity Threat Advisory.
What is the threat?
CVE-2025-3928 affect Commvault Web Server versions prior to 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for both Windows and Linux. It is an unspecified flaw in the Commvault Web Server that remote, authenticated attackers can exploit. It enables attackers to create and run web shells, potentially leading to unauthorized access and system compromise.
Why is it noteworthy?
This vulnerability is concerning because it enables attackers to compromise web servers through authenticated access. While exploitation requires valid credentials, attackers could leverage stolen or weak credentials to gain unauthorized control over affected systems. CISA has officially recognized CVE-2025-3928 as an actively exploited vulnerability, highlighting the urgency for organizations to patch their systems immediately.
What is the exposure or risk?
Organizations using Commvault Web Server are at risk. Upon successful exploitation, threat actors can remote execute malicious web shells that can lead to unauthorized access to systems, data breaches, system compromise, and disruption of critical services.
The risk is heightened if attackers gain access to valid credentials, making it crucial for organizations to strengthen authentication mechanisms and monitor for unusual activity.
What are the recommendations?
Barracuda recommends organizations to take the following steps to mitigate your risks from this threat:
- Update to the latest Commvault versions.
- Block malicious IPs and monitor for any access attempts.
- Rotate credentials, especially for Azure app registrations and backup-related service accounts.
- Monitor sign-ins for anomalies and review audit access logs regularly
- Apply conditional access and enforce strict access controls using Microsoft Entra ID.
- Set up webshell detection using YARA rules and endpoint detection and response (EDR) tools, such as Barracuda Managed XDR Endpoint Security, to scan for common webshell patterns.
- Segregate backup networks and ensure backup environments are not directly accessible from the internet.
References
For more in-depth information about the threat, please visit the following links:
- https://nvd.nist.gov/vuln/detail/cve-2025-3928
- https://thehackernews.com/2025/05/commvault-confirms-hackers-exploited.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.