CISA Flags Actively Exploited Vulnerabilities in Broadcom, Commvault, and Qualitia Products

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, warning that attackers are actively exploiting flaws in Broadcom Brocade Fabric OS, Commvault web servers, and Qualitia Active! Mail. Federal agencies must patch these vulnerabilities by May 17–19, 2025, while private sector organizations are strongly urged to follow suit¹.

TL;DR: Key Vulnerabilities and Deadlines

• CVE-2025-1976: Broadcom Brocade Fabric OS (arbitrary code execution) – Patch by May 19
• CVE-2025-3928: Commvault web servers (webshell deployment) – Patch by May 17
• CVE-2025-42599: Qualitia Active! Mail (buffer overflow) – Patch by May 19

Technical Breakdown of the Vulnerabilities

The Broadcom Brocade Fabric OS vulnerability (CVE-2025-1976) allows authenticated attackers with admin privileges to execute arbitrary code. Despite requiring elevated access, CISA confirmed active exploitation in the wild. The flaw is fixed in Fabric OS 9.1.1d7, while version 9.2.0 remains unaffected².

Commvault’s web server vulnerability (CVE-2025-3928) enables authenticated attackers to deploy webshells on exposed systems. Patched versions include 11.36.46 (Windows/Linux), 11.32.89, 11.28.141, and 11.20.217. Network segmentation is recommended as an interim mitigation for unpatched systems³.

Qualitia Active! Mail (CVE-2025-42599), a Japanese email client used by government and financial sectors, contains a stack-based buffer overflow that has already caused outages in Japan. The fixed version is Active! Mail 6 BuildInfo: 6.60.06008562⁴.

Impact and Mitigation Strategies

These vulnerabilities affect different sectors: Broadcom’s flaw impacts SAN infrastructure, Commvault’s exposes backup systems, and Qualitia’s disrupts email communications. CISA’s binding operational directive requires federal agencies to patch within the specified deadlines, while private organizations should treat these as critical priorities.

CVE ID	Product	Risk	Patch Status
CVE-2025-1976	Broadcom Fabric OS	RCE (Admin abuse)	Fixed in 9.1.1d7
CVE-2025-3928	Commvault Web Servers	Webshell upload	Fixed in multiple versions
CVE-2025-42599	Qualitia Active! Mail	Buffer Overflow	Fixed in v6.60.06008562

Detection and Response Recommendations

For Broadcom Fabric OS, monitor for unusual admin account activity and unexpected process execution. Commvault administrators should inspect web server directories for unauthorized PHP/ASPX files. Qualitia users should check mail server logs for crash reports and unexpected process termination.

CISA’s KEV catalog update follows recent additions of vulnerabilities in Craft CMS, NAKIVO Backup, and SAP NetWeaver, indicating a pattern of attackers targeting enterprise software⁵.

Conclusion

These vulnerabilities demonstrate attackers’ continued focus on enterprise infrastructure components. The inclusion in CISA’s KEV catalog confirms active exploitation, making prompt patching essential. Organizations should prioritize these updates and review related systems for compromise indicators.

References

1. “CISA adds Broadcom Fabric OS, Commvault flaws to exploited vulnerabilities list,” BleepingComputer, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/cisa-tags-broadcom-fabric-os-commvault-flaws-as-exploited-in-attacks/
2. “Broadcom Fabric OS Security Advisory,” Broadcom Support, 2025. [Online]. Available: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25602
3. “CISA warns about actively exploited Broadcom, Commvault vulnerabilities,” HelpNetSecurity, 2025. [Online]. Available: https://www.helpnetsecurity.com/2025/04/29/cisa-warns-about-actively-exploited-broadcom-commvault-vulnerabilities-cve-2025-1976-cve-2025-3928/
4. “Active! Mail RCE flaw exploited in attacks on Japanese orgs,” BleepingComputer, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/active-mail-rce-flaw-exploited-in-attacks-on-japanese-orgs/
5. “CISA Known Exploited Vulnerabilities Catalog,” CISA, 2025. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog