Commvault Metallic SaaS Breach Highlights Cloud Security Risks & Best Practices

The announcement of cyber threat activity targeting Commvault’s flagship SaaS cloud application, Metallic, marks a pivotal moment for cloud security and Managed Service Providers (MSPs), especially those tasked with safeguarding Microsoft 365 (M365) environments. As the wave of sophisticated attacks migrates towards SaaS platforms, the breach–tied to the exposure or theft of application secrets within Commvault’s Azure-hosted infrastructure–sends a stark warning across the industry. This article critically investigates the facts, the broader implications for cloud and SaaS security, and actionable steps for both Commvault customers and the wider IT and security community.

Commvault Metallic Breach: Anatomy and Scope​

According to the official advisory and corroborated by the Cybersecurity and Infrastructure Security Agency (CISA), threat actors managed to access client secrets for Commvault’s Metallic SaaS solution–the core backup and recovery platform for Microsoft 365 data, hosted in Microsoft Azure. This effectively gave unauthorized parties a foothold in customer M365 environments wherever Commvault stored application secrets.

What Happened?​

The attack centers around the compromise of application secrets handled by Commvault for its customers. These secrets typically represent authentication credentials in the form of OAuth client secrets, private keys, or other privileged tokens. In the context of M365, such credentials often grant wide-ranging access, potentially including the ability to read, modify, or exfiltrate emails, OneDrive files, and Teams content.
This incident appears to be part of a larger ongoing campaign, which CISA believes is targeting cloud applications and SaaS vendors with default or weak configurations and excessive permissions. The campaign’s sophistication signals opportunistic threat actors leveraging both technical skill and deep familiarity with cloud identity and access models.

Technical Breakdown and Critical Timeline​

• Vulnerability Origin: Mismanagement or insufficient rotation of application secrets within the Azure environment.
• Potential Impact: Unauthorized access to customer M365 data backups, broader lateral movement within the Azure tenant, and exposure of sensitive cloud resources.
• Threat Actor Tactics: Unauthorized creation or alteration of credentials, anomalous use of existing service principals, exploitation of weakly-configured identity and access policies.

Furthermore, CISA added a related vulnerability (CVE-2025-3928) to its Known Exploited Vulnerabilities Catalog, emphasizing the clear and present danger of exploitation in the wild.

Reverberating Security Implications for SaaS and MSPs​

Cloud Trust Assumptions Challenged​

The modern assumption is that SaaS vendors, especially major ones integrated into Azure or AWS, have airtight operational and technical controls. This breach exposes the fallacy of that universal trust. SaaS vendors often aggregate privileged keys, automate backups, and manage identity at scale, sometimes trading off security rigor for operational convenience.
This event should reignite conversations about the shared responsibility model. Customers must revisit the fine print of their supply chain–what secrets their vendors manage, how often they rotate, and what monitoring is in place for potential abuse.

The Dangers of Privileged Service Principals​

Administrative service principals (identity objects representing apps/services in Azure AD/Entra) can be dangerously overprivileged. When a third-party SaaS like Metallic asks for high-level admin consent with wide permissions, it dramatically increases the risk surface. The breach illustrates the damaging potential if such a principal’s secrets are leaked.

Default Configurations and Shadow Permissions​

The campaign referenced by CISA targets cloud applications with default configurations and excessive permissions. Too often, SaaS integrations, including backup solutions, operate with broad, legacy permissions that go unreviewed after initial deployment. Attackers routinely exploit this overprivileged “shadow perimeter.”

Actionable Response: Recommendations from CISA and Best Practices​

1. Enhanced Log Auditing and Threat Hunting​

• Entra and Microsoft Logs: Monitor audit logs for unauthorized modifications to service principals and credential additions linked to Commvault apps. The guidance from CISA emphasizes reviewing Entra (formerly Azure AD) sign-in logs and conducting proactive threat hunting.
• Behavioral Clues: Any deviation from normal login times or device profiles should be treated as a red flag.

Referenced best practices can be found in the NSA/CISA’s Cloud Identity Access Management guidelines, which stress least privilege and continuous monitoring.

2. Conditional Access and Network Restrictions​

• Conditional Access Policies: For single tenant applications, restrict authentication to a tight range of allowlisted IPs from Commvault, if feasible.
• Licensing Caveat: This step requires an Entra Workload ID Premium License–a potential cost and operational overhead many organizations must weigh.

3. Credential Rotation and Secrets Hygiene​

• Immediate Secret Rotation: Any customers able to control their secrets in Commvault’s Metallic platform should rotate credentials immediately and establish a firm 30-day rotation policy.
• Limited Reach: It’s important to note, as cautioned by the advisory, that not all customers have the ability to control these secrets, underscoring a SaaS dependency risk.

4. Principle of Least Privilege​

• Audit Application Registrations: Regularly audit the list of registered applications and service principals in your Entra environment for excessive or unnecessary privilege elevation.

5. Additional M365 Security Baselines​

• Secure Cloud Business Applications (SCuBA): CISA recommends following M365 security guidance that applies multi-layered controls, including robust identity management, multi-factor authentication, and scoped application permissions.

6. For On-premises Installations​

• Network Segmentation: Restrict admin portals to trusted networks, block external access where possible, and deploy web application firewalls to detect and block suspicious behaviors such as path traversal or malicious file uploads.
• Patch Management: Apply all relevant patches, particularly those referenced in the CVE (CVE-2025-3928), and continuously monitor for updates.

Critical Assessment: Strengths and Weaknesses in the Response​

Notable Strengths​

• Transparency: Commvault’s willingness to issue an immediate, clear security advisory is exemplary and demonstrates a commitment to customer trust, albeit reactive. Their provision of resources and direct mitigation steps reflects industry best practice.
• CISA’s Proactive Monitoring: By investigating and issuing cross-industry guidance, CISA continues to function as a critical hub for coordinated response across both public and private sectors.

Gaps, Limitations, and Cautions​

• Dependency on Vendor Controls: Customers relying on SaaS must trust not only the software vendor’s controls, but also their timely disclosure of breaches. In cases where only the vendor can rotate secrets, customers are left vulnerable to delays or hidden risk windows.
• Patch and Mitigation Availability: Not all mitigations are universally accessible (e.g., conditional access policies tied to premium licensing). This can create an uneven risk landscape.
• Complexity of Real-world Implementation: Recommendations such as threat hunting in Entra logs, least privilege audits, and regular credential rotation require advanced security maturity and may be out of reach for smaller organizations.

Broader Cloud Security Trends and Lessons Learned​

SaaS as a Growing Attack Surface​

Recent years have seen a dramatic increase in attacks against cloud and SaaS service layers, especially as attackers realize the business-critical data these platforms process and store. Backup systems, often seen as an “insurance policy” against ransomware, have become top-tier targets for initial access and data-weaponization operations.

Identity Is the New Perimeter​

Incidents like this prove that identity–not network–is the battleground for cloud compromise. Attackers weaponize stolen or misused credentials and leverage poorly-audited service principal permissions, sometimes using native cloud automation to evade detection.

Zero Trust, or Zero Visibility?​

The shift to Zero Trust architectures implies continuous verification and monitoring. This event demonstrates the existential risk when organizations lack visibility into the “backend” of their SaaS providers–an argument for deeper vendor diligence and third-party attestations.

Concrete Steps for Commvault and SaaS Customers​

Immediate Actions​

• Verify with Commvault: Contact your account representative to determine if your tenant or secrets have been exposed.
• Rotate and Audit: Rotate any credentials that touch the Metallic platform, and review all linked service principals.
• Enhance Monitoring: Implement (or validate) advanced logging and behavioral analytics for all privileged app activity.
• Assess SaaS Vendor Security Posture: Review written SLAs and security documentation, and demand greater transparency for privileged operations.

Long-term Strategies​

• Limit Dependence on Vendor-Stored Secrets: Where possible, hold your own secrets and rotate them on a regular (preferably automated) basis.
• Mandate Least Privilege: Regularize application registration reviews in your internal change management process.
• Push for SaaS Security Certifications and Audits: Third-party audits and published penetration testing reports should be required reading prior to any platform integration.

The Regulatory and Legal Angle​

The incident underscores the growing regulatory scrutiny over supply chain security in SaaS ecosystems. In the US, mandatory reporting requirements for significant SaaS breaches are on the horizon. Notifications like this should be considered not just helpful, but soon potentially required by law.
Organizations that fail to demonstrate strong vendor management and rapid incident response may find themselves on the wrong side of compliance audits or civil litigation, particularly where customer or patient data is at risk.

Thoughts for IT Leaders, CISOs, and Boardrooms​

No reputable MSP or SaaS provider is immune to compromise, but the difference between a controlled incident and a crisis is rooted in preparation, visibility, and transparency.
Key questions every IT and business leader should ask in the wake of this incident:

• Who within our organization manages and reviews all SaaS application permissions and secrets?
• How quickly can our security team detect and respond to anomalous SaaS activity?
• What contractual rights and protections do we have if a vendor’s compromise exposes our data?

Addressing these questions must become standard practice for MSPs, enterprises, government entities, and even SMBs increasingly dependent on SaaS.

Conclusion: Sharpening the Shared Responsibility Model​

The Commvault Metallic breach is a cautionary tale, but also an opportunity. The rapid dissemination of effective mitigations by both the vendor and oversight bodies like CISA is a stark contrast to the protracted, opaque responses seen in past cloud supply chain breaches.
However, the heart of cloud security remains the same: a relentless focus on identity, vigilant auditing, privileged access management, and a candid relationship with SaaS and MSP partners. The concept of “trust but verify” must evolve into “trust, verify, and continuously monitor”–with both vendor and customer working in unison.
For now, the industry watches closely: the lessons learned here and the effectiveness of mitigation strategies may well define the next era of cloud and SaaS security.

---

For immediate assistance or to report suspicious activity related to Commvault Metallic, organizations are encouraged to contact CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.

---

Source: CISA Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic) | CISA