Amid escalating tensions in the global cybersecurity landscape, a new wave of sophisticated attacks has forced organizations to confront the risks buried deep within their cloud ecosystems. The latest alert, issued by the United States Cybersecurity and Infrastructure Security Agency (CISA), spotlights an urgent scenario: advanced threat actors are actively targeting Commvault’s Metallic SaaS backup applications hosted on Microsoft Azure. These attacks have exploited a zero-day vulnerability—now designated CVE-2025-3928—allowing unauthorized access to application secrets, underscoring the multi-layered vulnerabilities plaguing modern enterprise cloud deployments.
The campaign targeting Commvault is not a one-off event nor random in nature. According to CISA and official statements from Commvault, the attack demonstrates hallmarks of a coordinated, likely nation-state, operation. The ultimate prize for the perpetrators: access to Microsoft 365 (M365) environments of Commvault customers, a trove that can potentially unlock sensitive corporate data or even serve as a stepping stone for further lateral movement across the cloud supply chain.
Attackers reportedly used the compromised environment to access the client secrets for Commvault Metallic—the backup-as-a-service solution tightly integrated with Microsoft 365. These secrets, essentially authentication credentials, could then be used to interact with customer Microsoft 365 tenants, circumnavigating carefully built layers of security.
Cloud environments managed via identity platforms such as Microsoft Entra (formerly Azure Active Directory) often rely on “service principals” for inter-application authentication. In the Commvault Metallic ecosystem, these principals stored secrets within the customer M365 environment, managed on the customer’s behalf by Commvault. The attackers’ ability to steal these secrets triggered CISA’s broader mitigation guidance and urgent calls for industry-wide introspection.
CISA’s guidance, requiring organizations to actively monitor and narrow the scope of service principal sign-in, reflects an emerging consensus: identity is the new perimeter, and it must be treated with the same rigor as traditional firewall rules or endpoint protections.
Federal mandates—such as CISA’s May 19, 2025 deadline for patching CVE-2025-3928—help raise the bar, but many private sector organizations still lag in the patch adoption curve, increasing the overall threat window for opportunistic attackers.
However, certain risks persist:
Organizations cannot afford to treat security posture as a static checklist. Adopting rigorous credential management, conditional access, continuous monitoring, and instant patching must become routine. Meanwhile, transparency and timely threat intelligence sharing—across vendors, customers, and regulators—remain the industry’s best hope to outpace adversaries exploiting cloud at speed and scale.
The Commvault incident may ultimately prove more cautionary than catastrophic, thanks in part to rapid response and clear guidance. But it delivers a timely clarion call: in the world of SaaS, security is not only a feature or a checkbox—it is the very foundation on which digital trust, and business continuity, rests. As threat actors refine their techniques, so too must IT leaders, forging a new culture of resilience that recognizes cloud identity, secrets management, and proactive defense as the pillars of tomorrow’s secure enterprise.
Source: CybersecurityNews CISA Alerts on Threat Actors Targeting Commvault’s Azure App to Steal Secrets
Unraveling the Commvault Azure Metallic Attack: Anatomy and Impact
The campaign targeting Commvault is not a one-off event nor random in nature. According to CISA and official statements from Commvault, the attack demonstrates hallmarks of a coordinated, likely nation-state, operation. The ultimate prize for the perpetrators: access to Microsoft 365 (M365) environments of Commvault customers, a trove that can potentially unlock sensitive corporate data or even serve as a stepping stone for further lateral movement across the cloud supply chain.How the Breach Unfolded
Investigative details reveal that adversaries have leveraged CVE-2025-3928—a critical vulnerability residing in multiple versions of Commvault’s Web Server component. Discovered in February 2025, this zero-day flaw allows remote, authenticated attackers to inject and execute webshells, essentially granting the tools needed to control or pivot from compromised systems. Impacted versions span:- 11.36.0 through 11.36.45
- 11.32.0 through 11.32.88
- 11.28.0 through 11.28.140
- 11.20.0 through 11.20.216
Attackers reportedly used the compromised environment to access the client secrets for Commvault Metallic—the backup-as-a-service solution tightly integrated with Microsoft 365. These secrets, essentially authentication credentials, could then be used to interact with customer Microsoft 365 tenants, circumnavigating carefully built layers of security.
Broader Campaign Targeting Cloud Weaknesses
CISA warns that this incident is symptomatic of a much broader industry threat: cloud SaaS applications, particularly those deployed with default configurations or excessive permissions, are being systematically targeted by adversaries. Such breaches not only highlight potential gaps in individual vendor controls but also illuminate systemic weaknesses in multi-cloud, multi-tenant architectures—where a single breach can ripple outward to numerous downstream customers.Cloud environments managed via identity platforms such as Microsoft Entra (formerly Azure Active Directory) often rely on “service principals” for inter-application authentication. In the Commvault Metallic ecosystem, these principals stored secrets within the customer M365 environment, managed on the customer’s behalf by Commvault. The attackers’ ability to steal these secrets triggered CISA’s broader mitigation guidance and urgent calls for industry-wide introspection.
CISA Mandates and Mitigation—A New Playbook
Responding to the urgency, CISA added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog, compelling Federal Civilian Executive Branch agencies to apply patches no later than May 19, 2025. However, CISA’s recommendations transcend simple patching, reflecting the sophisticated nature of this threat.Key Mitigation Recommendations
CISA’s detailed guidance lays out a multi-pronged defensive strategy for organizations leveraging Commvault Metallic, as well as those architecting SaaS solutions atop Azure or other major cloud providers:- Vigilant Monitoring of Entra and M365 Logs
- Organizations are urged to monitor Microsoft Entra (Azure AD) audit logs for unauthorized modifications to service principals. Certain attack indicators—like unexpected creation or modification of application credentials—could flag early-stage compromise.
- Conditional Access Policy Enforcement
- CISA recommends applying conditional access policies that restrict authentication for application principals to known, approved IP addresses—specifically, those within Commvault’s allowlisted ranges. This limits the window of opportunity for attackers to leverage stolen credentials from outside the permitted network perimeter.
- Rotation of Application Secrets
- Enterprises are expected to urgently rotate secrets for all Metallic applications and related service principals that were potentially exposed between February and May 2025. This recommendation aligns with established credential hygiene best practices—yet the urgency and scope here is unprecedented given the campaign’s scale.
- Comprehensive Log Review and Threat Hunting
- CISA calls for a holistic review of all Entra, sign-in, and unified audit logs to detect any signs of suspicious activity. This proactive hunt should be guided by an internal incident response playbook, factoring in both current exploit indicators and the possibility of secondary or tertiary intrusion attempts.
- Licensing Caveats for Single-Tenant Apps
- For organizations using single-tenant applications, applying conditional access policies requires a Microsoft Entra Workload ID Premium License. This licensing nuance could present a barrier for rapid compliance among cost-conscious enterprises.
- Web Application Firewall Deployment
- CISA suggests deploying robust Web Application Firewalls (WAFs) capable of detecting path traversal and webshell installation attempts. WAFs serve as a front-line defense—though, as ever, are most effective as part of a multi-layered security approach.
- Network Segmentation for Management Access
- Restricting access to Commvault management interfaces to only trusted internal networks can slow or halt attacker lateral movement, potentially buying precious time for detection and response.
- Credential Rotation Policies
- CISA advocates for enforcing a policy of periodic credential rotation—every 30 days—as another layer of risk mitigation, reducing the lifecycle of any secrets that could be compromised in the future.
- General M365 Security Hygiene
- The agency also references its Secure Cloud Business Applications (SCuBA) Project—a suite of controls and benchmarks specifically tailored to securing cloud business workloads across the government and Fortune 500 sectors alike.
Table: Summary of CISA’s Immediate Mitigation Actions
| Action | Purpose | Tools/Requirements |
|---|---|---|
| Patch to latest Commvault version | Eliminate CVE-2025-3928 exploit path | Official Commvault patches |
| Monitor Entra logs | Detect unauthorized app/service modifications | M365/Entra admin tools |
| Restrict service principal sign-in | Limit use of stolen credentials | Conditional Access Policies (premium) |
| Rotate application secrets | Invalidate leaked credentials | M365/Azure admin portal |
| Deploy WAFs | Block malicious traffic such as webshells | Azure WAF, third-party appliances |
| Restrict admin interface access | Prevent external brute-forcing and abuse | Network security controls |
| Enforce credential rotation policy | Minimize exposure window | Automated scripts, policy enforcement |
| Review logs and hunt threats | Identify ongoing or previous attacks | Unified Audit Logs, SIEM platforms |
Technical Analysis: The Underlying Security Gaps
The Commvault attack raises pressing questions about the architecture of cloud-native SaaS backups, and more broadly, about best practices for managing secrets and identity in sprawling cloud ecosystems.Default Configurations: A Persistent Weakness
One of the most cited contributing factors in major breaches is over-permissive or default configuration of cloud resources. In the case of Commvault Metallic, the application’s ability to store and manage application secrets centrally was designed for seamless backup and restoration across multiple customer tenants. However, if these stored secrets are insufficiently segregated or improperly permissioned, one successful breach can ‘fan out’ access across numerous downstream victims.Service Principals as a Double-Edged Sword
Identity-based authentication—whether via Microsoft Entra service principals or OAuth for other public cloud platforms—remains essential to secure, automated operations between cloud services. Yet, these same credentials have become a juicy target for attackers. If secrets are not rotated routinely, or if audit logs are not proactively monitored for anomalous activity, attackers can use them to silently maintain persistent access.CISA’s guidance, requiring organizations to actively monitor and narrow the scope of service principal sign-in, reflects an emerging consensus: identity is the new perimeter, and it must be treated with the same rigor as traditional firewall rules or endpoint protections.
Patch and Response Speed: The Ongoing Race Against Adversaries
The incident also underscores the cruel arithmetic of cloud vulnerability management. Even with a well-publicized vulnerability, patches must be applied instantaneously—not simply available for download. The difference between breach and safety is often measured in hours.Federal mandates—such as CISA’s May 19, 2025 deadline for patching CVE-2025-3928—help raise the bar, but many private sector organizations still lag in the patch adoption curve, increasing the overall threat window for opportunistic attackers.
Critical Perspective: Strengths, Weaknesses, and the Road Ahead
The rapid response of both Commvault and CISA has, by most accounts, limited the overall impact of this breach. Commvault officials and CISA both emphasize that no backup data was exfiltrated. Business continuity operations are reportedly unaffected. Security communications have been transparent, with Commvault identifying five malicious IP addresses involved in the attack (108.69.148.100, 128.92.80.210, 184.153.42.129, 108.6.189.53, and 159.242.42.20), which can now be used for immediate blocklisting and forensics.However, certain risks persist:
- Long-Term Exposure: The precise dwell time of adversaries within Commvault’s Azure environment is not fully disclosed. Security experts warn that even after access is cut off, artifacts of the attackers’ presence (such as additional backdoors or exfiltrated secrets) may linger unnoticed for weeks or months.
- Shadow IT and Supply Chain Risk: Organizations increasingly depend on third-party SaaS providers for mission-critical services. If those vendors follow a different or less stringent security baseline, the entire customer base absorbs the downstream risk.
- Credential Stealing and the Identity Perimeter: As the attack illustrates, secrets management is a chronic pain point. Whether it’s hard-coded keys, secrets left in cloud storage, or insufficient monitoring of credential usage, attackers are finding innovative paths around even multi-factor authentication defenses.
- Reputational Impact: The specter of a high-profile breach involving trusted backup solutions may lead some risk-averse organizations to reevaluate their SaaS provider relationships, or to introduce new contractual security demands—potentially increasing compliance costs across the industry.
The Future of Cloud SaaS Security: Lessons Learned
This incident, like others in recent memory, vaults cloud SaaS security to the top of strategic agendas for IT and compliance leaders worldwide. Several broad lessons emerge:Zero Trust Gets Real
Security models built around “trusted zones” or “walled gardens” are no longer fit for purpose. A true Zero Trust approach—where every request, whether from internal systems or external partners, is continuously authenticated and authorized—provides the only credible defense against sophisticated, identity-driven attacks.Proactive Threat Intelligence Collaboration
The swift identification and publication of attack indicators by Commvault and CISA provided precious detection time for organizations. However, the gap between “known” and “unknown” is only narrowing through more direct threat intelligence sharing, ideally through automated feeds and industry-specific consortiums that outpace the speed of attacker innovation.Automation, Detection, and Response
Manual review of logs or credentials is too slow for modern cloud attack campaigns. Automated systems that surface anomalies—whether in service principal behavior, secret rotation events, or geographic login patterns—are essential. Organizations will increasingly rely on Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) platforms tailored for multi-cloud realities.Integrated Vendor Risk Management
The need for robust security reviews and contractual guarantees from SaaS providers is now more urgent. Organizations must analyze not only their own hardening posture, but also the “blast radius” of any vendor’s controls, requiring auditable security practices and transparency around incident response.Continuous Education and Tabletop Exercises
Finally, people remain the ultimate safeguard, or failure point, in cloud security. Regular training, realistic breach simulations, and cross-functional tabletop exercises can mean the difference between rapid containment and business-threatening fallout.Conclusion: Building Resilience for the Next Wave
The revelations around Commvault Metallic’s Azure compromise—and the broader campaign flagged by CISA—underscore the dual realities of cloud transformation: immense opportunity, shadowed by persistent and evolving risk. As enterprises accelerate adoption of SaaS solutions, the boundaries of “your data” versus “vendor data” blur, and the need for shared, actionable security controls becomes paramount.Organizations cannot afford to treat security posture as a static checklist. Adopting rigorous credential management, conditional access, continuous monitoring, and instant patching must become routine. Meanwhile, transparency and timely threat intelligence sharing—across vendors, customers, and regulators—remain the industry’s best hope to outpace adversaries exploiting cloud at speed and scale.
The Commvault incident may ultimately prove more cautionary than catastrophic, thanks in part to rapid response and clear guidance. But it delivers a timely clarion call: in the world of SaaS, security is not only a feature or a checkbox—it is the very foundation on which digital trust, and business continuity, rests. As threat actors refine their techniques, so too must IT leaders, forging a new culture of resilience that recognizes cloud identity, secrets management, and proactive defense as the pillars of tomorrow’s secure enterprise.
Source: CybersecurityNews CISA Alerts on Threat Actors Targeting Commvault’s Azure App to Steal Secrets
