On May 22, 2025, Commvault, a prominent enterprise data backup provider, issued an urgent advisory concerning active cyber threat activity targeting its Metallic software-as-a-service (SaaS) application, hosted within the Microsoft Azure cloud environment. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that threat actors exploited a zero-day vulnerability, designated as CVE-2025-3928, in Commvault’s web server. This exploitation enabled unauthorized access to client secrets associated with the Metallic Microsoft 365 (M365) backup solution.
These application secrets, utilized for authenticating access to customer M365 environments, were stored by Commvault on behalf of its clients. The compromise potentially allowed attackers to infiltrate customers’ M365 environments, posing a significant risk to sensitive enterprise data. CISA indicated that this incident is likely part of a broader campaign targeting cloud applications with default configurations and elevated permissions—a pattern increasingly observed in attacks on SaaS providers.
Commvault emphasized that, to date, there is no evidence of unauthorized access to customer backup data or material impact on business operations. In response, the company rotated affected credentials and enhanced security controls across its Azure-hosted services.
The primary vulnerability exploited, CVE-2025-3928, allowed remote, authenticated attackers to create and execute web shells on the Commvault web server. This provided a foothold for further lateral movement and potential credential theft. The attack was detected after Microsoft notified Commvault of unauthorized activity in February 2025, which a subsequent investigation attributed to a nation-state threat actor.
In parallel, another critical vulnerability, CVE-2025-34028, was identified in the Commvault Command Center. This flaw, rated with a CVSS score of 10/10, is a path traversal vulnerability that enables unauthenticated remote code execution (RCE) via malicious ZIP file uploads. Attackers can exploit this by uploading a ZIP archive containing a JavaServer Pages (JSP) file, which is then executed by the server, potentially leading to a complete compromise of the Command Center environment.
Technical mitigations for these vulnerabilities include:
Additional recommendations include:
This policy restricts authentication for the Commvault application to a trusted IP range, enhancing security for single-tenant environments.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source: GBHackers News CISA Alerts on Threat Actors Targeting Commvault Azure App to Steal Secrets
These application secrets, utilized for authenticating access to customer M365 environments, were stored by Commvault on behalf of its clients. The compromise potentially allowed attackers to infiltrate customers’ M365 environments, posing a significant risk to sensitive enterprise data. CISA indicated that this incident is likely part of a broader campaign targeting cloud applications with default configurations and elevated permissions—a pattern increasingly observed in attacks on SaaS providers.
Commvault emphasized that, to date, there is no evidence of unauthorized access to customer backup data or material impact on business operations. In response, the company rotated affected credentials and enhanced security controls across its Azure-hosted services.
Technical Details: Exploited Vulnerabilities and Attack Vectors
The primary vulnerability exploited, CVE-2025-3928, allowed remote, authenticated attackers to create and execute web shells on the Commvault web server. This provided a foothold for further lateral movement and potential credential theft. The attack was detected after Microsoft notified Commvault of unauthorized activity in February 2025, which a subsequent investigation attributed to a nation-state threat actor.In parallel, another critical vulnerability, CVE-2025-34028, was identified in the Commvault Command Center. This flaw, rated with a CVSS score of 10/10, is a path traversal vulnerability that enables unauthenticated remote code execution (RCE) via malicious ZIP file uploads. Attackers can exploit this by uploading a ZIP archive containing a JavaServer Pages (JSP) file, which is then executed by the server, potentially leading to a complete compromise of the Command Center environment.
Technical mitigations for these vulnerabilities include:
- Monitoring Microsoft Entra audit logs for unauthorized modifications or additions of credentials to service principals associated with Commvault applications.
- Reviewing unified audit logs and conducting internal threat hunting in alignment with incident response policies.
- Implementing conditional access policies for single-tenant applications, restricting authentication to approved IP addresses within Commvault’s allowlisted range (requires Microsoft Entra Workload ID Premium License).
- Regularly rotating application secrets and credentials, with a recommended interval of at least every 30 days for customers with control over their secrets.
Mitigation Steps and Ongoing Response
CISA has added CVE-2025-3928 and CVE-2025-34028 to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching by federal agencies and strongly advising all organizations to do the same. Commvault has released patches for affected versions (11.38.20 and 11.38.25), but organizations must ensure the correct sub-versions are installed, as not all updates fully remediate the issue.Additional recommendations include:
- Restricting access to Commvault management interfaces to trusted networks and administrative systems.
- Deploying a Web Application Firewall (WAF) to detect and block path traversal attempts and suspicious file uploads.
- Reviewing application registrations and service principals in Microsoft Entra for excessive privileges.
- Applying general M365 security best practices as outlined in CISA’s Secure Cloud Business Applications (SCuBA) project.
Key Technical Terms
- Client Secrets: Credentials used by applications to authenticate to cloud services.
- Service Principal: An identity used by applications or services to access specific resources in Azure.
- Remote Code Execution (RCE): An attack that allows execution of arbitrary code on a target system.
- Path Traversal: A vulnerability that allows attackers to access directories and execute files outside the intended directory.
- Web Shell: A script that enables remote control of a web server.
- Conditional Access Policy: Security controls that restrict access to applications based on defined conditions, such as IP address.
Example Code Snippet for Conditional Access Policy (PowerShell)
Code:
New-AzureADMSConditionalAccessPolicy -DisplayName "Restrict Commvault App" `
-Conditions @{
Applications = @{
IncludeApplications = @("<AppID>")
}
} `
-GrantControls @{
BuiltInControls = @("mfa")
} `
-Locations @{
IncludeLocations = @("<TrustedIPRangeID>")
}Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source: GBHackers News CISA Alerts on Threat Actors Targeting Commvault Azure App to Steal Secrets
