The US cybersecurity agency CISA on Monday issued a warning on the active exploitation of recently patched vulnerabilities in Broadcom, Commvault, and Qualitia products.
The Broadcom flaw, tracked as CVE-2025-1976 (CVSS score of 8.6), is described as a code injection issue that could allow an authenticated attacker with administrative privileges to execute arbitrary code as root.
“Through a flaw in IP address validation, a local user, assigned one of the pre-defined admin roles or a user-defined role with admin-level privileges, can execute arbitrary code as if they had full root level access,” Broadcom explains in its advisory.
According to the vendor, an attacker could exploit the bug to execute any Fabric OS command and to modify the Fabric OS itself to add their own subroutines.
The security defect impacts Brocade Fabric OS versions 9.1.0 through 9.1.1d6 and was addressed with the release of Fabric OS version 9.1.1d7.
Certain 11.x versions of the Commvault webserver are impacted by an unspecified vulnerability, tracked as CVE-2025-3928 (CVSS score of 8.7), that can be exploited by a remote, authenticated attacker to compromise the instance by “creating and executing webshells”.
Commvault software versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217 were released in late February to address the bug on Windows and Linux platforms. Additional fixes were issued roughly a week later, “to enhance the security of the webserver module”.
The Qualitia flaw is a stack-based buffer overflow defect in Active! mail 6 that could be exploited by a remote, unauthenticated attacker via crafted requests. Tracked as CVE-2025-42599 (CVSS score of 9.8), the issue would lead to remote code execution or denial-of-service (DoS) conditions.
Qualitia patched the vulnerability on April 16, in Active! mail 6 Build 6.60.06008562 and coordinated with JPCERT/CC to notify users of the fix, warning that the issue had been exploited in the wild.
In fact, Broadcom too warned that the Fabric OS bug had been exploited in attacks when issuing patches for it on April 17. Although a CVE identifier for the Commvault flaw was issued only last week, it was exploited as a zero-day in attacks flagged in March.
On Monday, CISA added all three security defects to its its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to immediately patch vulnerable Broadcom, Commvault, and Qualitia products in their environments.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until May 17 to apply the patches. All organizations are advised to review CISA’s KEV list and address the vulnerabilities as soon as possible.
*The article has been updated to reflect that the Commvault flaw has been exploited as a zero-day.
Related: Craft CMS Zero-Day Exploited to Compromise Hundreds of Websites
Related: SAP Zero-Day Possibly Exploited by Initial Access Broker
Related: Fresh Windows NTLM Vulnerability Exploited in Attacks
Related: Vulnerability in OttoKit WordPress Plugin Exploited in the Wild
