CV_2025_03

Advisory ID: CV_2025_03_1
Severity: HIGH
Issued: 2025-02-24
Updated: 2025-04-25
CVSS Score Range: 8.7
Additional Links:
- CVE-2025-3928

A vulnerability has been identified and remediated in all supported versions of the Commvault software. Webservers can be compromised through bad actors creating and executing webshells.

Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment. Unauthenticated access is not exploitable. For software customers, this means your environment must be: (i) accessible via the internet, (ii) compromised through an unrelated avenue, and (iii) accessed leveraging legitimate user credentials.

Impacted Products

Product	Platforms	Affected Versions	Resolved Version	Status
Commvault	Linux, Windows	11.36.0 - 11.36.45	11.36.46	Resolved
Commvault	Linux, Windows	11.32.0 - 11.32.88	11.32.89	Resolved
Commvault	Linux, Windows	11.28.0 - 11.28.140	11.28.141	Resolved
Commvault	Linux, Windows	11.20.0 - 11.20.216	11.20.217	Resolved

Resolution

To prevent this issue, immediately install the resolved maintenance release for the affected version on the CommServe, Web Servers, and Command Center. This vulnerability does not impact client computers.

For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.

UPDATE (March 7th, 2025) – We have implemented additional fixes to enhance the security of the webserver module.

UPDATE (March 10th, 2025) – Version 11.32.88 had issues with loading certain reports correctly. These issues have been resolved in version 11.32.89.

UPDATE (April 25, 2025) – Added the CVE ID for this vulnerability.

Refer to the table above for details on the affected versions and updates.

CVE Details

Info	Description
CVE ID: CVE-2025-3928 CVSS Score: 8.7 External link	Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms.

Info

Description

CVE ID: CVE-2025-3928
CVSS Score: 8.7
External link

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms.

Documentation

https://documentation.commvault.com

< Back

Security Advisories

CV_2025_03_1: Critical Webserver Vulnerability HIGH

Impacted Products

Resolution

CVE Details

Documentation