Attacks on vulnerabilities in Commvault, Brocade Fabric OS and Active! Mail
Attackers are targeting recent vulnerabilities in Commvault, Brocade Fabric OS and Active! Mail and compromise systems.
(Image: Erstellt mit KI in Bing Creator von heise online / dmk)
Cyber criminals are attacking recent vulnerabilities in several products. Commvault, Brocade Fabric OS and Active! Mail. Attacks on the vulnerabilities have been observed in the wild. Admins should install the patched versions quickly.
The US cybersecurity authority CISA is currently warning of the ongoing cyberattacks. One of the vulnerabilities under attack can be found in the Brocade Fabric OS operating system. According to the vulnerability description, the developers have removed root access since version 9.1.0, but local users with admin rights may be able to execute arbitrary code with full root rights. Fabric OS 9.1.0 to 9.1.1d6 is affected(CVE-2025-1976, CVSS 8.6, risk “high”). According to Broadcom's security announcement, Fabric OS 9.1.1d7 corrects the problem, while version 9.2.0 is not vulnerable.
Backup and recovery software attacked
Commvault Backup & Recovery is actually used for backing up and restoring data. A vulnerability in the web server can be abused by malicious actors to infiltrate and execute web shells – and they actually do this on the network. To do this, they need access data to an account, which makes the attacks somewhat more difficult. Commvault calls the vulnerability “critical” in a security announcement (CVE-2025-3928, CVSS 8.7, risk “high”). The Commvault versions for Linux and Windows 11.36.46, 11.32.89, 11.28.141 and 11.20.217 patch the bug.
Videos by heise
A third actively attacked vulnerability affects Active! Mail 6: A stack-based buffer overflow can be abused by attackers with carefully prepared requests from the network without authentication to paralyze the service or even inject malicious code (CVE-2025-42599, CVSS 9.8, risk “critical”). The report comes from the Japanese CERT, where the software is likely to be used primarily. Where the software is required, the update to version 6.60.06008562 should be carried out quickly to fix the vulnerability.
CISA does not disclose what the attacks look like, how extensive they are, or how they can be detected. IT managers should therefore install the updates as quickly as possible to reduce the attack surface and avoid falling victim to the observed attacks.
Last week, CISA had to warn of active attacks on a vulnerability in Microsoft's NTLM authentication. The Windows updates from March plug the security leak.
(dmk)
