External risk intelligence

Commvault Web Server Vulnerability Allows Webshell Creation.

CVE advisoryKnown Exploit

CVE-2025-3928

A vulnerability in the Commvault Web Server allows authenticated attackers to create and execute webshells, potentially leading to system compromise and unauthorized access. This poses a business risk to organizations relying on Commvault for data management.

4Halo Surface Signal

Commvault

11.20.0 to before 11.20.21711.28.0 to before 11.28.14111.32.0 to before 11.32.8911.36.0 to before 11.36.46

External exposure likelihood

Halo Surface Signal score for CVE-2025-3928

The vulnerability affects the Commvault Web Server component. Enterprise backup and management software web interfaces, including Commvault's, are frequently deployed as internet-facing portals to facilitate remote management, monitoring, and cloud-connected backup services, making them a common target for external reachability.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The Commvault Web Server has a vulnerability that can be exploited by an attacker who has already gained authenticated access. This flaw could allow an attacker to compromise the web server by creating and executing webshells. The business impact could include unauthorized access and control over the affected systems.

  • Vulnerable: Commvault Web Server
  • Flaw: Allows webshell creation and execution
  • Impact: System compromise and unauthorized access

Attack Path

How an attacker could exploit the issue

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. This allows attackers to compromise web servers by creating and executing webshells. The vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog.

  • Exposed web server
  • Authenticated attacker gains access
  • Webshells are created and executed

Live Threat

Current exploitation, exposure, and threat context

A remote, authenticated attacker could exploit this vulnerability by creating and executing webshells, potentially leading to unauthorized access to sensitive data and systems. The threat actor could gain access to client secrets, including OAuth credentials, which can then be used to access Microsoft 365 environments. This could result in the compromise of downstream data in services like Exchange, SharePoint, Teams, and Dynamics 365. The attackers have been linked to a broader campaign targeting SaaS applications.

  • Attackers likely have moderate skill.
  • Requires authenticated access to the web server.
  • High business risk; treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A remote, authenticated attacker can exploit a vulnerability in the Commvault Web Server to compromise systems by creating and executing webshells. This could lead to unauthorized access and control of affected systems. Organizations using Commvault software should prioritize addressing this vulnerability to mitigate business risk.

  • Find affected Commvault assets.
  • Reduce exposure or isolate risk.
  • Fix, verify, and monitor.

Frequently asked questions

What is the Commvault Web Server and its purpose in data protection?

The Commvault Web Server is a key component of Commvault's data protection suite. It provides a web-based interface for users to manage, monitor, and configure backup and recovery operations, facilitating remote administration.

How does CVE-2025-3928 enable webshell execution on Commvault Web Server?

CVE-2025-3928 is an unspecified vulnerability allowing an authenticated attacker to create and execute webshells. This can lead to remote code execution, granting the attacker control over the compromised server.

What is the trigger path for the Commvault Web Server vulnerability and its scope?

The trigger path involves an authenticated attacker exploiting an unspecified weakness to create and execute webshells. The scope of the vulnerability allows for compromise of the web server itself.

What is the relevance of CVE-2025-3928 in the context of targeted attacks?

This vulnerability is relevant because threat actors use it to create webshells, potentially accessing client secrets like OAuth credentials. This can lead to the compromise of downstream data in services such as Microsoft 365, Exchange, SharePoint, and Teams.

What actions should be taken to respond to the Commvault Web Server vulnerability?

Organizations should identify affected Commvault assets, reduce exposure or isolate risks, and apply necessary fixes. Monitoring for suspicious activity after remediation is also crucial to mitigate business risk.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified