CISA just added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, and if you’re running products from Broadcom, Commvault, or Qualitia, this is your heads-up. These aren’t theoretical threats—all three are being actively exploited in the wild, and patches are already available.

Let’s break down what we’re looking at.

The Broadcom vulnerability (CVE-2025-1976, CVSS 8.6) affects Brocade Fabric OS versions 9.1.0 through 9.1.1d6. It’s a code injection issue that allows an authenticated user with admin privileges to execute arbitrary commands as root. This means attackers could run any Fabric OS command or even modify the OS itself. Broadcom issued a patch in version 9.1.1d7 and has confirmed the flaw was exploited before the fix was released.

Next is Commvault’s webserver vulnerability (CVE-2025-3928, CVSS 8.7). This one lets a remote, authenticated attacker drop and run webshells to gain full control of the instance. What’s especially important here is that this was exploited as a zero-day earlier this year, before a CVE was even assigned. Fixes went out in late February for Windows and Linux systems, covering versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217—with additional hardening added shortly after.

The third and most critical bug is CVE-2025-42599 in Qualitia’s Active! mail 6. It’s a stack-based buffer overflow that allows unauthenticated remote code execution or DoS—and it carries a CVSS score of 9.8. This one’s already been used in real attacks. Qualitia patched it on April 16 in Build 6.60.06008562, working with JPCERT/CC to notify affected users.

Because these bugs are confirmed active, CISA is requiring federal agencies to patch all three by May 17, under Binding Operational Directive (BOD) 22-01. But the warning isn’t just for government networks—these are widely used enterprise products, and if they’re in your environment, you’ll want to ensure you’re not exposed.

What makes this especially relevant for teams managing hybrid infrastructures is that each of these exploits hits a different angle—privilege escalation in networking gear, remote control of backup infrastructure, and unauthenticated RCE via email software. It’s a snapshot of how attackers continue to probe for weaknesses across the stack.

If these vendors are anywhere in your supply chain or internal tools, now’s the time to check versions and confirm patches are in place. The fact that exploitation is already happening across all three should raise urgency.