CISA Adds Broadcom Brocade Fabric OS Vulnerability to Known Exploited Vulnerabilities Catalog

CISA officially added a significant security flaw affecting Broadcom’s Brocade Fabric OS to its authoritative Known Exploited Vulnerabilities (KEV) Catalog, underscoring the urgent need for remediation across enterprise and government environments. 

The vulnerability, tracked as CVE-2025-1976, is classified as a code injection vulnerability and carries a high CVSS base score of 8.6 due to its potential to allow local attackers with administrative privileges to execute arbitrary code with full root access. 

This escalation of privilege could enable a complete compromise of the underlying storage network infrastructure, posing significant risks to data integrity and operational continuity.

Brocade Fabric OS Vulnerability- CVE-2025-1976

CVE-2025-1976 specifically affects Brocade Fabric OS versions 9.1.0 through 9.1.1d6. Although these versions had previously removed direct root access as a security measure, a flaw in the validation of IP addresses within the operating system allows a local user with administrative privileges to bypass intended controls. 

By exploiting this vulnerability, the attacker can inject and execute arbitrary code as the root user, thereby gaining unrestricted control over the system.

The vulnerability is categorized under CWE-94, “Improper Control of Generation of Code (‘Code Injection’),” which describes scenarios where software constructs code segments using externally influenced input without proper neutralization of special elements. 

This allows attackers to alter the syntax or behavior of the code, leading to unintended execution paths or privilege escalation. 

In the context of Brocade Fabric OS, exploitation could permit not only the execution of existing system commands but also the modification of core operating system components, including the insertion of unauthorized subroutines or backdoors.

The technical vector for exploitation is local, requiring authenticated administrative access. However, in environments where administrative credentials are widely distributed or insufficiently protected, the risk of compromise increases substantially. 

The vulnerability does not require user interaction or complex attack chains, further amplifying its severity rating.

CISA Warns of Active Exploitation

CISA’s decision to add CVE-2025-1976 to the KEV Catalog is based on evidence of active exploitation in the wild. 

Security advisories and threat intelligence reports have confirmed that attackers are leveraging this flaw to gain root-level access on affected Brocade Fabric OS installations. 

While there is currently no public proof-of-concept code available, the presence of exploitation activity elevates the urgency for organizations to respond.

The KEV Catalog, established under Binding Operational Directive (BOD) 22-01, serves as a prioritized list of vulnerabilities that pose significant risk to federal and critical infrastructure networks. 

Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate listed vulnerabilities within the specified timeline, which for CVE-2025-1976 is May 19, 2025. 

CISA strongly recommends that private sector organizations also prioritize remediation in alignment with this directive, given the potential for lateral movement and broader network compromise.

Mitigation Guidance 

Broadcom has issued a security advisory and released a patched version of Brocade Fabric OS (version 9.1.1d7) that addresses the code injection vulnerability. 

Organizations are advised to upgrade to this version immediately to mitigate the risk of exploitation. 

In cases where immediate patching is not feasible, administrators should restrict and audit admin-level access, enforce strict access controls, and monitor for suspicious activity originating from privileged accounts. 

Isolating Fabric OS systems from less trusted networks and regularly reviewing system logs for anomalous behavior are also recommended interim measures.

The incident serves as a reminder of the importance of robust access controls, timely patch management, and continuous monitoring in safeguarding mission-critical systems.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.