The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that attackers are actively exploiting serious security flaws in Broadcom, Commvault, and Qualitia products. The agency is urging both federal agencies and private organizations to apply patches immediately to prevent further intrusions.
Among the threats flagged is a high-severity vulnerability in Broadcom’s Brocade Fabric OS, tracked as CVE-2025-1976. Scoring 8.6 on the CVSS scale, this flaw allows a user with admin-level access to inject and run arbitrary code with root privileges. Broadcom says the bug stems from improper IP address validation and could let attackers alter the system to run malicious commands. Fabric OS versions 9.1.0 through 9.1.1d6 are affected, and the issue has been fixed in version 9.1.1d7. Notably, Broadcom confirmed this flaw is already being used in real-world attacks.
Commvault is also facing a critical issue in some versions of its webserver software. The vulnerability, tracked as CVE-2025-3928 with a CVSS score of 8.7, could allow a remote, authenticated attacker to compromise servers by installing and running malicious webshells. Fixes have been released for multiple Commvault builds—including 11.36.46, 11.32.89, 11.28.141, and 11.20.217—across both Windows and Linux systems. The company also released an additional update shortly after to boost the webserver’s overall security.
Meanwhile, a severe flaw in Qualitia’s Active! mail 6 is raising red flags. This vulnerability, CVE-2025-42599, is a stack-based buffer overflow with a top-tier CVSS score of 9.8. It allows unauthenticated attackers to remotely execute code or trigger a denial-of-service (DoS) by sending specially crafted requests. The vulnerability was fixed on April 16 in Active! mail 6 Build 6.60.06008562, and Qualitia worked with Japan’s JPCERT/CC to notify users of the risks. Like the Broadcom issue, this flaw has also been confirmed as exploited in the wild.
CISA warns that these vulnerabilities have now been added to its Known Exploited Vulnerabilities (KEV) catalog. Under Binding Operational Directive (BOD) 22-01, U.S. federal agencies must apply patches by May 17. But CISA is encouraging all organizations to treat these threats as urgent and take action immediately.
As cybercriminals and state-sponsored actors increasingly target widely used enterprise software, timely patching and vulnerability management remain critical. CISA warns that delayed response can leave systems open to severe disruptions, data theft, or long-term compromise.
