The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities—CVE-2025-1976 and CVE-2025-3928—to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-1976 affects Broadcom Brocade Fabric OS (versions 9.1.0 to 9.1.1d6) and allows local administrators to execute arbitrary code with root privileges due to an IP address validation flaw, with a fix available in version 9.1.1d7. CVE-2025-3928 impacts Commvault Web Server and enables remote, authenticated attackers to deploy and run web shells. Although unauthenticated users cannot exploit this flaw directly, attackers with valid credentials could compromise internet-accessible systems. This vulnerability affects multiple versions of the Commvault software across Windows and Linux, with fixes issued in later patch versions. Agencies are required to patch Commvault by May 17, 2025, and Broadcom Brocade Fabric OS by May 19, 2025.