Might 23, 2025Ravie LakshmananCloud Safety / VulnerabilityThe U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday revealed that Commvault is monitoring cyber risk exercise concentrating on functions hosted of their Microsoft Azure cloud surroundings.
“Risk actors might have accessed consumer secrets and techniques for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) answer, hosted in Azure,” the company mentioned.
“This offered the risk actors with unauthorized entry to Commvault’s clients’ M365 environments which have utility secrets and techniques saved by Commvault.”
CISA additional famous that the exercise could also be a part of a broader marketing campaign concentrating on varied software-as-a-service (SaaS) suppliers’ cloud infrastructures with default configurations and elevated permissions.
The advisory comes weeks after Commvault revealed that Microsoft notified the corporate in February 2025 of unauthorized exercise by a nation-state risk actor inside its Azure surroundings.
The incident led to the invention that the risk actors had been exploiting a zero-day vulnerability (CVE-2025-3928), an unspecified flaw within the Commvault Internet Server that allows a distant, authenticated attacker to create and execute internet shells.
“Primarily based on trade consultants, this risk actor makes use of refined strategies to attempt to acquire entry to buyer M365 environments,” Commvault mentioned in an announcement. “This risk actor might have accessed a subset of app credentials that sure Commvault clients use to authenticate their M365 environments.”
Commvault mentioned it has taken a number of remedial actions, together with rotating app credentials for M365, however emphasised that there was no unauthorized entry to buyer backup knowledge.
To mitigate such threats, CISA is recommending that customers and directors observe the under pointers –
Monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault functions/service principals
Evaluate Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct inside risk looking
For single tenant apps, implement a conditional entry coverage that limits authentication of an utility service principal to an accredited IP tackle that’s listed inside Commvault’s allowlisted vary of IP addresses
Evaluate the record of Utility Registrations and Service Principals in Entra with administrative consent for increased privileges than the enterprise want
Prohibit entry to Commvault administration interfaces to trusted networks and administrative techniques
Detect and block path-traversal makes an attempt and suspicious file uploads by deploying a Internet Utility Firewall and eradicating exterior entry to Commvault functions
CISA, which added CVE-2025-3928 to its Recognized Exploited Vulnerabilities Catalog in late April 2025, mentioned it is persevering with to analyze the malicious exercise in collaboration with accomplice organizations.
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.
