04/23/2025-04/30/2025 Broadcom Fabric OS, CommVault Flaws, New Critical SAP NetWeaver Flaw,Rack::Static Vulnerability And More

1. CISA Tags Broadcom Fabric OS, CommVault Flaws as Exploited in Attacks

CISA has added three actively exploited vulnerabilities to its KEV catalog, affecting Broadcom Brocade Fabric OS, Commvault web servers, and Qualitia Active! Mail clients. CVE-2025-1976 impacts Broadcom Brocade Fabric OS versions 9.1.0–9.1.1d6. Though admin access is required, attackers have exploited it to execute arbitrary commands or modify the OS. The issue is fixed in version 9.1.1d7, and the 9.2.0 branch is unaffected. CVE-2025-3928 targets Commvault’s backup web servers, allowing authenticated remote attackers to deploy webshells. Despite authentication requirements, it is being exploited. Fixes are available for Windows and Linux. CVE-2025-42599 affects all versions of Active! Mail up to BuildInfo 6.60.05008561. The stack-based buffer overflow vulnerability has been exploited, causing outages among Japanese SMBs and ISPs. It is patched in BuildInfo 6.60.06008562. CISA has set patch deadlines of May 17, 2025, for CVE-2025-3928 and May 19 for the others.

2. New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell, Brute Ratel Framework

Threat actors are exploiting a new vulnerability in SAP NetWeaver (now tracked as CVE-2025-31324) to upload JSP web shells for unauthorized file uploads, remote code execution, and persistent access. The flaw resides in the /developmentserver/metadatauploader endpoint and allows unauthenticated file uploads. ReliaQuest initially suspected a remote file inclusion issue but confirmed it’s an unrestricted file upload vulnerability. Threat actors have been observed using Brute Ratel C4 and Heaven’s Gate techniques, possibly as part of initial access brokerage. Attacks date back to March 27, 2025, mainly targeting manufacturing firms. The shells allow system-level access with adm privileges. SAP has released a patch addressing the flaw. Onapsis and ProjectDiscovery have provided tools to detect and scan for this vulnerability and related indicators of compromise. Shadowserver reports 427 exposed systems, with most located in the U.S., India, and Australia. Not all SAP NetWeaver systems are vulnerable, as exposure depends on the metadata uploader being enabled.

3. Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers

Cybersecurity researchers have disclosed three vulnerabilities in the Rack Ruby web server interface that could allow attackers to access files, inject malicious data, and tamper with logs. The flaws, identified by OPSWAT, include:

• CVE-2025-27610 (CVSS 7.5): A path traversal vulnerability that allows access to files outside the intended directory, potentially exposing sensitive data.
• CVE-2025-27111 & CVE-2025-25184 (CVSS 6.9 & 5.7): Log injection vulnerabilities that enable manipulation of log entries and insertion of malicious data.

The issues stem from how Rack::Static handles user-supplied paths. If the :root parameter is undefined or misconfigured, an attacker could access confidential files
Users are advised to update or properly configure :root.

Separately, a critical flaw (CVE-2025-43928, CVSS 9.8) in Infodraw Media Relay Service allows unauthenticated users to read or delete arbitrary files via path traversal in the login page. No patch is available; affected systems in Belgium and Luxembourg have been taken offline as a precaution.

4. JPCERT Warns of DslogdRAT Malware Deployed in Ivanti Connect Secure

Researchers have identified new malware, DslogdRAT, deployed after exploiting a zero-day vulnerability in Ivanti Connect Secure (ICS). The flaw, CVE-2025-0282 (CVSS 9.0), is a stack-based buffer overflow affecting Ivanti Connect Secure versions before 22.7R2.5, Ivanti Policy Secure before 22.7R1.2, and Ivanti Neurons for ZTA before 22.7R2.3. Attackers can exploit the flaw for remote code execution or privilege escalation.

In December 2024, attackers exploited this vulnerability to deploy DslogdRAT via a Perl-based CGI web shell, which executed arbitrary commands if a specific cookie value matched. DslogdRAT then communicated with a C2 server using XOR-encoded data. It operates between 8 AM and 8 PM to avoid detection, supports proxy functions, file uploads/downloads, and command execution.

Additionally, another malware, SPAWNSNARE, was detected in the same compromised systems. CISA and Google previously reported SPAWNSNARE in April 2025.