Brocade Fabric OS flaw could allow code injection attacks

A high severity flaw affecting Broadcom’s Brocade Fabric OS (FOS) has allowed attackers to run arbitrary code on affected environments with full root-level privileges.

The flaw, tracked as CVE-2025-1976, is particularly dangerous as it can allow complete takeover of FOS devices, including Fibre switches and directors, which are core to Storage Area Networks (SANs), potentially enabling attackers to modify system files, configuration data, firmware, security mechanisms, and install persistent malware.

“Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privilege on Fabric OS versions 9.1.0 through 9.1.1d6,” reads a Broadcom description.

Broadcom has issued a fix through the Brocade FOS 9.1.1d7 update.

CISA tags the flaw as actively exploited

CISA added CVE-2025-1976, along with two others, to its Known Exploited Vulnerabilities (KEV) Catalog. “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” it said in an advisory.

The flaw, which received a severity rating of CVSS 8.6 out of 10, arises from improper input validation, the company said in an advisory. “Through a flaw in IP Address validation, a local user, assigned one of the pre-defined admin roles or a user-defined role with admin-level privileges, can execute arbitrary code as if they had full root-level access.”

Attackers exploiting the flaw could run any existing FOS command or even alter the OS itself by injecting custom subroutines. While the exploit does require initial access to an admin-level account, the company confirmed the vulnerability has already been seen in active use in real-world attacks.

Brocade FOS versions 9.2.0 and later, Brocade ASCG, and Brocade SANnav products are not impacted, as per the advisory. CISA recommended that Federal Civilian Executive Branch (FCEB) agencies promptly patch the vulnerability as per BOD 22-01 directive.

Same KEV update included a Commvault flaw

CISA also added a high severity bug–CVSS 8.7/10– affecting Commvault Web Server to its KEV Catalog, recommending patching under the same BOD directive.

The flaw, tracked as CVE-2025-3928, is an unspecified vulnerability that can be exploited by a remote, authenticated attacker to execute webshells. All versions before 11.36.46, 11.32.89, 11.28.141, and 11.20.217 are affected and must be upgraded to the latest versions.

“Exploiting this vulnerability requires a bad actor to have authenticated user credentials within the Commvault Software environment,” the company said in an advisory. “Unauthenticated access is not exploitable.” The vulnerability affects and must be resolved on Commvault’s CommServe, Web Servers, and Command Center, while client computers remain unaffected.