The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new warning about two dangerous security vulnerabilities that cybercriminals are actively exploiting in the wild. These flaws affect widely used products from Broadcom and Commvault, putting businesses and government agencies at risk of cyberattacks.

Understanding the Threats

Security experts are particularly concerned because both vulnerabilities allow attackers to execute malicious code on affected systems. What makes them especially dangerous is that hackers are already using them in real-world attacks, according to CISA’s findings.

1. Broadcom Brocade Fabric OS Vulnerability (CVE-2025-1976)

Risk Level: High (CVSS Score: 8.6)

What’s the Problem?
This security hole in Broadcom’s networking software could let someone with administrator privileges run any command they want with full system control. Essentially, it gives attackers who already have some access the ability to take complete control of the system.

How Bad Is It?

• Affects versions 9.1.0 through 9.1.1d6

• Fixed in version 9.1.1d7 (released April 2025)

• Requires admin access initially, but has been seen in active attacks

Broadcom’s security team warned that this flaw could be used to modify the actual operating system software, potentially creating permanent backdoors or other malicious changes.

2. Commvault Web Server Vulnerability (CVE-2025-3928)

Risk Level: High (CVSS Score: 8.7)

What’s the Problem?
This weakness in Commvault’s backup software could let authenticated attackers create and run web shells – essentially giving them a secret doorway into the system.

Important Details:

• Only affects systems where attackers already have valid login credentials

• Requires the system to be either:

  • Directly accessible from the internet, OR

  • Already partially compromised through another method

• Fixed in newer versions (see specific version numbers above)

Commvault emphasized that while the vulnerability is serious, it can’t be exploited by random internet users – attackers need valid credentials first.

Why These Flaws Are Dangerous

Security analysts point to several concerning factors:

1. Active Exploitation: Unlike many vulnerabilities that are theoretical risks, these are already being used in real attacks.

2. High Impact: Both allow code execution, which is one of the most severe types of vulnerabilities.

3. Widespread Use: Broadcom and Commvault products are used in many enterprise environments, including government systems.

4. Stealth Potential: The Commvault flaw could be used to maintain hidden access to systems even after initial breaches are discovered.

Who’s Most at Risk?

• Government Agencies: Federal Civilian Executive Branch agencies have been given strict deadlines to patch

• Large Enterprises: Companies using these products for networking or backups

• Managed Service Providers: Those managing client systems with vulnerable versions

What You Need to Do

Immediate Actions:

1. Check Your Systems:

   • Identify any installations of affected Broadcom or Commvault products

   • Verify current version numbers

2. Apply Patches Immediately:

   • Broadcom users should upgrade to version 9.1.1d7 or later

   • Commvault customers need to update to the latest fixed versions

3. Federal Agency Deadlines:

   • Commvault patches must be installed by May 17, 2025

   • Broadcom updates required by May 19, 2025

Additional Protective Measures:

• Review administrator access controls

• Monitor for suspicious activity on affected systems

• Consider implementing additional network segmentation

• Ensure proper credential management practices

The Bigger Picture

While details about the ongoing attacks remain limited, the fact that CISA has added these flaws to its Known Exploited Vulnerabilities (KEV) catalog indicates they pose a significant threat. The KEV list represents vulnerabilities that are known to be actively used by cybercriminals, making them top priorities for patching.

Security professionals recommend that all organizations using these products treat these vulnerabilities as critical threats, even if they’re not part of the federal government. In today’s threat landscape, delays in patching known vulnerabilities often lead to damaging breaches.

Final Recommendations

1. Don’t Wait: Even if you’re not a federal agency, apply these patches as soon as possible.

2. Assume Risk: If you’re running vulnerable versions, assume your systems may be compromised.

3. Watch for Updates: Monitor both vendors’ security pages for additional guidance.

As attackers continue to exploit these vulnerabilities, prompt action is the best defense against potential security incidents that could lead to data breaches or system compromises.