Commvault, a leading provider of data protection and information management solutions, has recently been at the center of significant cybersecurity incidents. These events have prompted advisories from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and have raised concerns about the security of cloud-based applications and services.
Overview of the Incidents
In early 2025, Commvault identified unauthorized activity within its Microsoft Azure environment. This activity was attributed to a suspected nation-state threat actor who exploited a zero-day vulnerability, designated as CVE-2025-3928, in Commvault's Web Server. This vulnerability allowed authenticated attackers to create and execute web shells, potentially leading to full system compromise. Commvault promptly addressed the issue by releasing patches and implementing enhanced security measures. The company emphasized that there was no unauthorized access to customer backup data and no material impact on business operations. (commvault.com)
CISA's Response and Advisory
In response to these developments, CISA added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the active exploitation of this flaw. CISA urged organizations to apply the necessary patches by May 19, 2025, to mitigate potential risks. The agency also noted that this activity might be part of a larger campaign targeting various SaaS companies' cloud applications with default configurations and elevated permissions. (sans.org)
Subsequent Vulnerabilities and Exploits
Shortly after addressing CVE-2025-3928, another critical vulnerability, CVE-2025-34028, was discovered in Commvault's Command Center. This path traversal flaw allowed unauthenticated attackers to execute arbitrary code remotely. Commvault released patches to address this issue, and CISA added this vulnerability to its KEV catalog, setting a remediation deadline of May 23, 2025. (thehackernews.com)
Implications for Cloud Security
These incidents underscore the evolving threat landscape facing cloud-based applications and services. The exploitation of zero-day vulnerabilities by sophisticated threat actors highlights the need for continuous monitoring, timely patching, and robust security configurations. Organizations are advised to implement Conditional Access policies, regularly rotate credentials, and monitor sign-in activities to detect unauthorized access attempts. (thehackernews.com)
Commvault's Proactive Measures
Commvault has demonstrated a proactive approach in addressing these security challenges. The company has collaborated with leading cybersecurity firms and coordinated with authorities, including the FBI and CISA. By sharing best practices and indicators of compromise, Commvault aims to enhance the security posture of its customers and the broader cybersecurity community. (commvault.com)
Conclusion
The recent cyber threat activities targeting Commvault's cloud applications serve as a critical reminder of the importance of vigilance and proactive security measures in the digital age. Organizations must stay informed about emerging threats, apply security patches promptly, and adopt comprehensive security strategies to safeguard their digital assets.
Source: HSToday CISA Advisory Update on Cyber Threat Activity Targeting Commvault’s Cloud Application HS Today
