Commvault
CVE-2025-3928
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
AnalysisAI
Commvault Web Server allows authenticated remote attackers to create and execute webshells, exploited in the wild alongside CVE-2025-34028 for comprehensive backup infrastructure compromise.
Technical ContextAI
The vulnerability allows bad actors to compromise Commvault webservers through webshell creation and execution. While requiring authentication, compromised credentials or chaining with other vulnerabilities enables exploitation.
RemediationAI
Apply Commvault security updates. Implement MFA for Commvault admin access. Monitor for web shell creation. Implement immutable backup storage.
Commvault Command Center Innovation Release allows unauthenticated remote code execution through path traversal in ZIP f
A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user
A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access thr
A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments
During the brief window between installation and the first administrator login, remote attackers may exploit the default
The Report Builder component of the application stores user input directly in a web page and displays it to other users,
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today