Three actively exploited vulnerabilities—CVE-2025-42599 (Qualitia Active! mail), CVE-2025-3928 (Commvault Web Server), and CVE-2025-1976 (Broadcom Brocade Fabric OS)—have been added to CISA’s KEV catalog. The Qualitia flaw is a remote stack-based buffer overflow (CVSS 9.8) allowing code execution without authentication. Commvault’s vulnerability permits authenticated attackers to deploy web shells for persistent access (CVSS 8.8), while Broadcom’s code injection flaw lets local admin users escalate to root (CVSS 8.4). All three are confirmed to be under active exploitation.
CISA has issued remediation deadlines under BOD 22-01—May 17 for Qualitia and Commvault, and May 19 for Broadcom. Federal agencies must comply or disconnect affected assets. The KEV catalog’s inclusion signals reliable evidence of exploitation and elevates the urgency of patching beyond CVSS severity alone. Notably, Commvault’s ecosystem also includes CVE-2025-34028, a separate unauthenticated path traversal vulnerability with PoC available, increasing its threat profile.
Web shells—used in the Commvault attack vector—highlight a broader trend in persistent access techniques. These scripts give attackers command execution abilities post-compromise, enabling exfiltration, lateral movement, and integration into broader C2 infrastructures. Effective countermeasures include integrity monitoring, privilege restrictions, and layered network defenses.
