CISA issued an alert on May 22 2025 warning that threat actors had compromised Commvault’s Azure-hosted Metallic SaaS backup platform. The attackers specifically targeted and accessed client secrets that Commvault customers use to protect their Microsoft 365 (M365) backups. By obtaining these secrets, the threat actors could potentially access affected customers’ M365 environments, manipulate service principal configurations, and gain unauthorized access to business-critical data including email, SharePoint, and OneDrive content.

‍

Attack Methodology

Initial access: Exploitation of CVE‑2025‑3928 on Commvault Web Server to deploy web shells inside Commvault’s Azure environment.

‍

What was exposed: A subset of stored app credentials (client secrets) that certain customers use for Metallic‑managed M365 backups.

‍

CISA believes this activity is part of a larger wave of attacks abusing default SaaS configurations and over‑privileged service principals across multiple vendors.

‍

Recommended Actions

Threat hunting

Review Microsoft Entra audit, sign‑in, and unified logs for any unauthorized addition or modification of credentials linked to Commvault service principals.

Flag sign‑ins outside normal schedules or from known malicious IPs: 108.69.148[.]100 128.92.80[.]210 184.153.42[.]129 108.6.189[.]53 154.223.17[.]243 159.242.42[.]20

‍

Rotate credentials

Immediately rotate M365 app secrets used by Commvault Metallic and set a 30‑day (or shorter) rotation policy going forward

For single‑tenant apps, revalidate scopes to enforce least‑privilege permissions.

‍

Conditional Access

Apply Conditional Access policies restricting Commvault service‑principal logins to Commvault’s allow‑listed IP ranges (Entra Workload ID Premium required).

‍

Patch & harden

Apply Commvault patches addressing CVE‑2025‑3928 and follow updated hardening guides (Article 87661).

Remove external access to legacy Commvault web modules where possible.

‍

Timeline

Feb 20 2025: Microsoft alerts Commvault to unauthorized activity.

Apr 2025: Microsoft provides additional threat intel; Commvault updates advisory.

May 22 2025: CISA issues public advisory; CVE‑2025‑3928 added to KEV catalog.

‍

Summary

Stolen application secrets can give attackers privileged, API‑level access to M365 dat often without triggering user sign‑in alerts. Immediate credential rotation, strict Conditional Access, and vigilant log monitoring are critical to contain potential compromise and prevent follow‑on SaaS supply‑chain attacks.

‍

References

On May 22, 2025, Commvault, a leading enterprise data backup provider, issued an urgent advisory regarding active cyber threat activity targeting its Metallic software-as-a-service (SaaS) application, which is hosted in the Microsoft Azure cloud environment.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that threat actors exploited a zero-day vulnerability (CVE-2025-3928) in Commvault’s web server, enabling unauthorized access to client secrets for the Metallic Microsoft 365 (M365) backup solution.

These application secrets, which are used for authenticating access to customer M365 environments, were stored by Commvault on behalf of its clients.

– Advertisement –

The compromise potentially allowed attackers to access customers’ M365 environments, posing a significant risk to sensitive enterprise data.

CISA indicated that this incident is likely part of a broader campaign targeting cloud applications with default configurations and elevated permissions—a pattern increasingly observed in attacks on SaaS providers.

Commvault emphasized that, to date, there is no evidence of unauthorized access to customer backup data or material impact on business operations.

The company responded by rotating affected credentials and enhancing security controls across its Azure-hosted services.

Technical Details: Exploited Vulnerabilities and Attack Vectors

The primary vulnerability exploited, CVE-2025-3928, allowed remote, authenticated attackers to create and execute web shells on the Commvault web server.

This provided a foothold for further lateral movement and potential credential theft. The attack was detected after Microsoft notified Commvault of unauthorized activity in February 2025, which a subsequent investigation attributed to a nation-state threat actor.

In parallel, another critical vulnerability, CVE-2025-34028, was identified in the Commvault Command Center.

This flaw, rated with a CVSS score 10/10, is a path traversal vulnerability that enables unauthenticated remote code execution (RCE) via malicious ZIP file uploads.

Attackers can exploit this by uploading a ZIP archive containing a JavaServer Pages (JSP) file, which is then executed by the server, potentially leading to a complete compromise of the Command Center environment.

Technical mitigations for these vulnerabilities include:

Monitoring Microsoft Entra audit logs for unauthorized modifications or additions of credentials to service principals associated with Commvault applications.

Reviewing unified audit logs and conducting internal threat hunting in alignment with incident response policies.

Implementing conditional access policies for single-tenant applications, restricting authentication to approved IP addresses within Commvault’s allowlisted range (requires Microsoft Entra Workload ID Premium License).

Regularly rotating application secrets and credentials, with a recommended interval of at least every 30 days for customers with control over their secrets.

Mitigation Steps and Ongoing Response

CISA has added CVE-2025-3928 and CVE-2025-34028 to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching by federal agencies and strongly advising all organizations to do the same.

Commvault has released patches for affected versions (11.38.20 and 11.38.25), but organizations must ensure the correct sub-versions are installed, as not all updates fully remediate the issue.

Additional recommendations include:

Restricting access to Commvault management interfaces to trusted networks and administrative systems.

Deploying a Web Application Firewall (WAF) to detect and block path traversal attempts and suspicious file uploads.

Reviewing application registrations and service principals in Microsoft Entra for excessive privileges.

Applying general M365 security best practices as outlined in CISA’s Secure Cloud Business Applications (SCuBA) project .

Organizations are urged to report incidents or anomalous activity to CISA’s 24/7 Operations Center.

The situation remains dynamic, with CISA and Commvault collaborating with industry partners to monitor for further malicious activity and to update mitigation guidance as new intelligence emerges.

Key Technical Terms:

Client Secrets: Credentials used by applications to authenticate to cloud services.

Service Principal: An identity used by applications or services to access specific resources in Azure.

Remote Code Execution (RCE): An attack that allows execution of arbitrary code on a target system.

Path Traversal: A vulnerability that allows attackers to access directories and execute files outside the intended directory.

Web Shell: A script that enables remote control of a web server.

Conditional Access Policy: Security controls that restrict access to applications based on defined conditions, such as IP address.

Example Code Snippet for Conditional Access Policy (PowerShell):

powershell New-AzureADMSConditionalAccessPolicy -DisplayName “Restrict Commvault App” ` -Conditions @{ Applications = @{ IncludeApplications = @(““) } } ` -GrantControls @{ BuiltInControls = @(“mfa”) } ` -Locations @{ IncludeLocations = @(““) }

This policy restricts authentication for the Commvault application to a trusted IP range, enhancing security for single-tenant environments.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

A nation state actor’s targeting of Commvault over the last few months may be part of a wider campaign against Saas companies’ cloud applications, CISA has warned.

The data management and security firm company has had a torrid time over the last few months.

As CISA warned this week, the firm has been “monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment.” The specific target appears to be Commvault’s Metallic backup service.

Earlier this month Commvault said that Microsoft had first flagged suspicious activity by “a nation state actor” back in February. “

The actor was using “sophisticated techniques to try to gain access to customer M365 environments” it continued, and “may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments

Threat actors could have accessed “client secrets” for Commvault’s Microsoft 365 backup service hosted on Azure, the agency said. This could have given them unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault.

Ominously, the agency added that it believes “the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.”

The agency said it was “continuing to investigate the malicious activity in collaboration with partner organizations.”

In the meantime, customers are advised to hit the logs to check for unusual activity, including “deviations from regular login schedules”, and to conduct internal threat hunting.

Where customers have control of Commvault’s application secrets, they are advised to rotate them.

On prem customers are also advised to take precautions, including restrict access to Commvault management interfaces, hunt down path traversals and uploads, and apply patches.

Meanwhile, Commvault has rotated key staff. In March it announced Bill O’Connell as Chief Security Officer. O’Conell had previously held security briefs at Roche and ADP. Also in March, it appointed Ha Hoang as its new CIO. Hoang has previously been group VP of cloud engineering and infrastructure at UKG.

At the end of April, WatchTowr praised Commvault for its rapid response to a flaw in its Command Center environment.

Join peers following The Stack on LinkedIn

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment.

“Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure,” the agency said.

“This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault.”

CISA further noted that the activity may be part of a broader campaign targeting various software-as-a-service (SaaS) providers’ cloud infrastructures with default configurations and elevated permissions.

The advisory comes weeks after Commvault revealed that Microsoft notified the company in February 2025 of unauthorized activity by a nation-state threat actor within its Azure environment.

The incident led to the discovery that the threat actors had been exploiting a zero-day vulnerability (CVE-2025-3928), an unspecified flaw in the Commvault Web Server that enables a remote, authenticated attacker to create and execute web shells.

“Based on industry experts, this threat actor uses sophisticated techniques to try to gain access to customer M365 environments,” Commvault said in an announcement. “This threat actor may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments.”

Commvault said it has taken several remedial actions, including rotating app credentials for M365, but emphasized that there has been no unauthorized access to customer backup data.

To mitigate such threats, CISA is recommending that users and administrators follow the below guidelines –

Monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications/service principals

Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct internal threat hunting

For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault’s allowlisted range of IP addresses

Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than the business need

Restrict access to Commvault management interfaces to trusted networks and administrative systems

Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications

CISA, which added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalog in late April 2025, said it’s continuing to investigate the malicious activity in collaboration with partner organizations.

CISA issued an urgent advisory, warning organizations about ongoing cyber threat activity targeting Commvault’s software-as-a-service (SaaS) cloud applications hosted in Microsoft Azure environments.

Threat actors have successfully accessed client secrets for Commvault’s Metallic Microsoft 365 backup solution, providing unauthorized access to customer M365 environments where Commvault stores application secrets.

This breach represents a broader campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions, highlighting critical vulnerabilities in enterprise cloud security infrastructures.

Nation-State Actors Exploit Zero-Day Vulnerability CVE-2025-3928

The attack campaign centers around exploiting CVE-2025-3928, a critical zero-day vulnerability in Commvault Web Server that was initially discovered in February 2025.

Commvault confirmed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting this vulnerability, which allows remote, authenticated attackers to create and execute webshells on affected Commvault Web Servers.

The vulnerability affects multiple Commvault versions, including 11.36.0 through 11.36.45, 11.32.0 through 11.32.88, 11.28.0 through 11.28.140, and 11.20.0 through 11.20.216. Patches are available in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217, respectively.

CISA added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch agencies to apply necessary patches by May 19, 2025.

Commvault Metallic Breach Exposes M365 Client Secrets

The successful exploitation allowed threat actors to access client secrets for Commvault’s Metallic application, which provides Microsoft 365 backup services to enterprise customers.

This access enabled unauthorized entry into customers’ M365 environments where application secrets are stored by Commvault, potentially affecting thousands of organizations globally.

Commvault has identified specific malicious IP addresses associated with the attack: 108.69.148.100, 128.92.80.210, 184.153.42.129, 108.6.189.53, and 159.242.42.20.

While Commvault maintains that no customer backup data was compromised and business operations remain unaffected, the breach demonstrates sophisticated targeting of cloud service providers to gain lateral access to customer environments.

CISA has issued comprehensive mitigation guidance requiring organizations to implement multiple security controls immediately. Critical recommendations include:

Monitoring Microsoft Entra audit logs for unauthorized modifications to service principals

Implementing conditional access policies that restrict application service principal authentication to approved IP addresses within Commvault’s allowlisted ranges

Rotating application secrets for Metallic applications and service principals used between February and May 2025.

Organizations must also review Entra, sign-in, and unified audit logs while conducting internal threat hunting aligned with incident response policies.

For single-tenant applications, a Microsoft Entra Workload ID Premium License is required to apply conditional access policies to application service principals.

Additional precautionary measures include deploying Web Application Firewalls to detect path-traversal attempts, restricting access to Commvault management interfaces to trusted networks, and establishing policies for credential rotation every 30 days.

CISA emphasizes implementing general M365 security recommendations outlined in the Secure Cloud Business Applications (SCuBA) Project to strengthen overall cloud security postures.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Cybersecurity analysts are racing to respond to an active exploitation campaign targeting Commvault environments in Microsoft Azure through the recently identified CVE-2025-3928 vulnerability.

This critical vulnerability, which enables authenticated attackers to compromise web servers through the creation and execution of webshells, has already been weaponized by a sophisticated nation-state threat actor and is now part of CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The CVE-2025-3928 vulnerability affects Commvault Web Server modules in all CommServe, Web Servers, and Command Center software deployments.

According to Commvault’s advisory, this vulnerability allows authenticated threat actors to compromise web servers by creating and executing webshells.

While exploitation requires authenticated credentials, attackers have successfully acquired and leveraged these credentials to facilitate intrusions.

“This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance,” Commvault stated in a recent update.

The company emphasized that there has been no evidence of unauthorized access to customer backup data, though investigations continue.

Detection Through KQL

Steven Lim of KQLWizard developed a KQL Query to detect potential compromise and mitigate damage before sensitive data is exfiltrated.

Security teams managing Azure environments with Commvault integrations can implement KQL queries to identify suspicious activities.

The query below leverages Azure Activity logs and SigninLogs to detect connection attempts from known malicious IP addresses associated with the exploitation campaign:

text let CommVaultIOC = dynamic([“108.69.148.100”, “128.92.80.210”, “184.153.42.129”, “108.6.189.53”, “159.242.42.20”]); let AzureActivityResult = AzureActivity | where TimeGenerated > ago(90d) | where CallerIpAddress has_any(CommVaultIOC); SigninLogs | where TimeGenerated > ago(90d) | where IPAddress has_any(CommVaultIOC) | union AzureActivityResult

This query creates a dynamic array containing IP addresses that Commvault has identified as related to malicious activity.

It then searches both Azure Activity logs and Signin logs for the past 90 days, filtering for any events where the caller IP address matches these known malicious addresses, effectively identifying potential compromise attempts.

Mitigations

CISA has mandated that Federal Civilian Executive Branch agencies apply patches for this vulnerability by May 19, 2025.

However, all organizations using Commvault products should immediately apply the fixes available in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for both Windows and Linux platforms.

Beyond patching, Commvault recommends implementing Conditional Access policies for all Microsoft 365, Dynamics 365, and Azure AD single-tenant app registrations. Additionally, organizations should:

Rotate and sync client secrets between Azure portal and Commvault every 90 days. Explicitly block the identified malicious IP addresses in Conditional Access policies. Monitor sign-in activity for access attempts from outside allowlisted ranges. Report suspicious activities to Commvault Support immediately.

With nation-state actors actively exploiting CVE-2025-3928, organizations must prioritize detection and remediation.

The provided KQL query serves as a critical tool for security teams to identify potential compromises through Azure’s native logging capabilities.

By combining this detection mechanism with proper patching and enhanced security measures, organizations can significantly reduce their risk exposure while ensuring the integrity of their Commvault environments.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download

Federal cyber defenders are warning that hackers are targeting the cloud environments of clients of data management giant Commvault.

The New Jersey-based company previously said it was notified by Microsoft in February of a data breach caused by an unnamed nation-state threat actor that allowed access to “a subset of app credentials that certain Commvault customers use to authenticate their M365 environments.”

On Thursday evening, the Cybersecurity and Infrastructure Security Agency (CISA) warned that Commvault is now “monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment.”

“CISA believes the threat activity may be part of a larger campaign targeting various SaaS [software-as-a-service] companies’ cloud applications with default configurations and elevated permissions,” the agency said.

CISA said that the threat actors likely “accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure.” In this context, a secret refers to a unique code used to connect applications to servers.

In multiple blogs throughout March, April and May, Commvault explained that the breach “affected a small number of customers” that the company has in common with Microsoft.

Commvault reiterated that the hackers never accessed customer backup data that the company stores and protects, and that it was working with CISA and the FBI on the issue. The company said it rotated credentials for impacted customers and took several other actions to deal with the incident.

In its notice on Thursday, CISA provided its own list of actions Commvault customers should take to protect themselves, including monitoring logs, rotating credentials and more.

CISA noted in its advisory that it recently added a Commvault vulnerability — CVE-2025-3928 — to its catalog of exploited bugs and is “continuing to investigate the malicious activity in collaboration with partner organizations.”

Commvault previously said that its forensic investigation discovered that the threat actor “exploited a zero-day vulnerability” and included a link to an advisory on CVE-2025-3928.

When asked why the advisory was released on Thursday, CISA declined to provide more information. A Commvault spokesperson said there “are no new developments in this CISA alert since the advisory we posted on May 4.”

CISA is “merely reporting on activity we published and alerted them to from then,” they told Recorded Future News.

Microsoft did not respond to requests for comment about which country was behind the attacks, what companies are being targeted and what data may be at risk.

James Maude, field CTO at BeyondTrust, which has investigated similar breaches in the past, noted that incidents like this highlight the risk involved with allowing third parties privileged access into your environment.

“Their breach becomes your breach,” he said.