CISA issued an urgent advisory about ongoing cyber threats targeting Commvault’s cloud applications. These software-as-a-service (SaaS) applications are specifically hosted in Microsoft Azure cloud environments. Threat actors have successfully accessed sensitive client secrets for Commvault’s Metallic M365 backup solution. This provided the attackers with unauthorized access directly to customer M365 cloud environments. Commvault stores its vital application secrets within these specific customer M365 environments. CISA noted this activity might be part of a much broader attack campaign. This wider campaign appears to be targeting various different software-as-a-service cloud providers. It often exploits cloud infrastructures that have default configurations or elevated permissions.
This attack campaign primarily centers on exploiting the zero-day vulnerability CVE-2025-3928. This is a critical unspecified flaw found in the Commvault Web Server software. It was initially discovered by security researchers back in the month of February 2025. Commvault confirmed a nation-state threat actor breached its Microsoft Azure cloud environment. The actor exploited this flaw allowing remote authenticated attackers to create and execute webshells. Multiple different Commvault software versions are unfortunately affected by this dangerous security flaw. However important security patches are now available in the latest updated Commvault software versions. CISA added CVE-2025-3928 to its Known Exploited Vulnerabilities catalog in late April 2025. Federal agencies were mandated to apply necessary patches by the May 19, 2025 deadline.
The successful exploitation of this flaw allowed attackers to access Metallic app client secrets. This consequently enabled their unauthorized entry into Commvault customers’ Microsoft 365 cloud environments. Commvault has publicly identified several specific malicious IP addresses associated with this attack. The company maintains that no actual customer backup data was compromised in this incident. They also firmly state that their core business operations currently remain largely unaffected. However this breach clearly demonstrates sophisticated targeting of various cloud service provider platforms. Attackers often aim to gain lateral access into valuable customer cloud environments. Commvault said the actor uses sophisticated techniques to try to gain M365 access. The company has taken several remedial actions including rotating M365 app credentials.
CISA is recommending that users and administrators follow its comprehensive mitigation guidance. Organizations should immediately implement multiple important recommended security controls to protect their systems. Key recommendations include monitoring Microsoft Entra audit logs for any unauthorized credential modifications. They should also implement conditional access policies restricting service principal authentication to approved IPs. Rotating application secrets used for Metallic applications between February and May 2025 is crucial. Organizations must also review various logs and conduct internal threat hunting for suspicious activity. Restricting access to Commvault management interfaces only to trusted networks is also advised. Deploying Web Application Firewalls can help detect path-traversal attempts and suspicious file uploads. CISA continues to investigate this malicious activity in collaboration with its partner organizations.
Reference: