Amid escalating tensions in the global cybersecurity landscape, a new wave of sophisticated attacks has forced organizations to confront the risks buried deep within their cloud ecosystems. The latest alert, issued by the United States Cybersecurity and Infrastructure Security Agency (CISA), spotlights an urgent scenario: advanced threat actors are actively targeting Commvaultâs Metallic SaaS backup applications hosted on Microsoft Azure. These attacks have exploited a zero-day vulnerabilityânow designated CVE-2025-3928âallowing unauthorized access to application secrets, underscoring the multi-layered vulnerabilities plaguing modern enterprise cloud deployments.
The campaign targeting Commvault is not a one-off event nor random in nature. According to CISA and official statements from Commvault, the attack demonstrates hallmarks of a coordinated, likely nation-state, operation. The ultimate prize for the perpetrators: access to Microsoft 365 (M365) environments of Commvault customers, a trove that can potentially unlock sensitive corporate data or even serve as a stepping stone for further lateral movement across the cloud supply chain.
Attackers reportedly used the compromised environment to access the client secrets for Commvault Metallicâthe backup-as-a-service solution tightly integrated with Microsoft 365. These secrets, essentially authentication credentials, could then be used to interact with customer Microsoft 365 tenants, circumnavigating carefully built layers of security.
Cloud environments managed via identity platforms such as Microsoft Entra (formerly Azure Active Directory) often rely on âservice principalsâ for inter-application authentication. In the Commvault Metallic ecosystem, these principals stored secrets within the customer M365 environment, managed on the customerâs behalf by Commvault. The attackersâ ability to steal these secrets triggered CISAâs broader mitigation guidance and urgent calls for industry-wide introspection.
CISAâs guidance, requiring organizations to actively monitor and narrow the scope of service principal sign-in, reflects an emerging consensus: identity is the new perimeter, and it must be treated with the same rigor as traditional firewall rules or endpoint protections.
Federal mandatesâsuch as CISAâs May 19, 2025 deadline for patching CVE-2025-3928âhelp raise the bar, but many private sector organizations still lag in the patch adoption curve, increasing the overall threat window for opportunistic attackers.
However, certain risks persist:
Organizations cannot afford to treat security posture as a static checklist. Adopting rigorous credential management, conditional access, continuous monitoring, and instant patching must become routine. Meanwhile, transparency and timely threat intelligence sharingâacross vendors, customers, and regulatorsâremain the industryâs best hope to outpace adversaries exploiting cloud at speed and scale.
The Commvault incident may ultimately prove more cautionary than catastrophic, thanks in part to rapid response and clear guidance. But it delivers a timely clarion call: in the world of SaaS, security is not only a feature or a checkboxâit is the very foundation on which digital trust, and business continuity, rests. As threat actors refine their techniques, so too must IT leaders, forging a new culture of resilience that recognizes cloud identity, secrets management, and proactive defense as the pillars of tomorrowâs secure enterprise.
Source: CybersecurityNews CISA Alerts on Threat Actors Targeting Commvaultâs Azure App to Steal Secrets
The campaign targeting Commvault is not a one-off event nor random in nature. According to CISA and official statements from Commvault, the attack demonstrates hallmarks of a coordinated, likely nation-state, operation. The ultimate prize for the perpetrators: access to Microsoft 365 (M365) environments of Commvault customers, a trove that can potentially unlock sensitive corporate data or even serve as a stepping stone for further lateral movement across the cloud supply chain.How the Breach Unfolded
Investigative details reveal that adversaries have leveraged CVE-2025-3928âa critical vulnerability residing in multiple versions of Commvaultâs Web Server component. Discovered in February 2025, this zero-day flaw allows remote, authenticated attackers to inject and execute webshells, essentially granting the tools needed to control or pivot from compromised systems. Impacted versions span:- 11.36.0 through 11.36.45
- 11.32.0 through 11.32.88
- 11.28.0 through 11.28.140
- 11.20.0 through 11.20.216
Attackers reportedly used the compromised environment to access the client secrets for Commvault Metallicâthe backup-as-a-service solution tightly integrated with Microsoft 365. These secrets, essentially authentication credentials, could then be used to interact with customer Microsoft 365 tenants, circumnavigating carefully built layers of security.
Broader Campaign Targeting Cloud Weaknesses
CISA warns that this incident is symptomatic of a much broader industry threat: cloud SaaS applications, particularly those deployed with default configurations or excessive permissions, are being systematically targeted by adversaries. Such breaches not only highlight potential gaps in individual vendor controls but also illuminate systemic weaknesses in multi-cloud, multi-tenant architecturesâwhere a single breach can ripple outward to numerous downstream customers.Cloud environments managed via identity platforms such as Microsoft Entra (formerly Azure Active Directory) often rely on âservice principalsâ for inter-application authentication. In the Commvault Metallic ecosystem, these principals stored secrets within the customer M365 environment, managed on the customerâs behalf by Commvault. The attackersâ ability to steal these secrets triggered CISAâs broader mitigation guidance and urgent calls for industry-wide introspection.
CISA Mandates and MitigationâA New Playbook
Responding to the urgency, CISA added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog, compelling Federal Civilian Executive Branch agencies to apply patches no later than May 19, 2025. However, CISAâs recommendations transcend simple patching, reflecting the sophisticated nature of this threat.Key Mitigation Recommendations
CISAâs detailed guidance lays out a multi-pronged defensive strategy for organizations leveraging Commvault Metallic, as well as those architecting SaaS solutions atop Azure or other major cloud providers:- Vigilant Monitoring of Entra and M365 Logs
- Organizations are urged to monitor Microsoft Entra (Azure AD) audit logs for unauthorized modifications to service principals. Certain attack indicatorsâlike unexpected creation or modification of application credentialsâcould flag early-stage compromise.
- Conditional Access Policy Enforcement
- CISA recommends applying conditional access policies that restrict authentication for application principals to known, approved IP addressesâspecifically, those within Commvaultâs allowlisted ranges. This limits the window of opportunity for attackers to leverage stolen credentials from outside the permitted network perimeter.
- Rotation of Application Secrets
- Enterprises are expected to urgently rotate secrets for all Metallic applications and related service principals that were potentially exposed between February and May 2025. This recommendation aligns with established credential hygiene best practicesâyet the urgency and scope here is unprecedented given the campaignâs scale.
- Comprehensive Log Review and Threat Hunting
- CISA calls for a holistic review of all Entra, sign-in, and unified audit logs to detect any signs of suspicious activity. This proactive hunt should be guided by an internal incident response playbook, factoring in both current exploit indicators and the possibility of secondary or tertiary intrusion attempts.
- Licensing Caveats for Single-Tenant Apps
- For organizations using single-tenant applications, applying conditional access policies requires a Microsoft Entra Workload ID Premium License. This licensing nuance could present a barrier for rapid compliance among cost-conscious enterprises.
- Web Application Firewall Deployment
- CISA suggests deploying robust Web Application Firewalls (WAFs) capable of detecting path traversal and webshell installation attempts. WAFs serve as a front-line defenseâthough, as ever, are most effective as part of a multi-layered security approach.
- Network Segmentation for Management Access
- Restricting access to Commvault management interfaces to only trusted internal networks can slow or halt attacker lateral movement, potentially buying precious time for detection and response.
- Credential Rotation Policies
- CISA advocates for enforcing a policy of periodic credential rotationâevery 30 daysâas another layer of risk mitigation, reducing the lifecycle of any secrets that could be compromised in the future.
- General M365 Security Hygiene
- The agency also references its Secure Cloud Business Applications (SCuBA) Projectâa suite of controls and benchmarks specifically tailored to securing cloud business workloads across the government and Fortune 500 sectors alike.
Table: Summary of CISAâs Immediate Mitigation Actions
| Action | Purpose | Tools/Requirements |
|---|---|---|
| Patch to latest Commvault version | Eliminate CVE-2025-3928 exploit path | Official Commvault patches |
| Monitor Entra logs | Detect unauthorized app/service modifications | M365/Entra admin tools |
| Restrict service principal sign-in | Limit use of stolen credentials | Conditional Access Policies (premium) |
| Rotate application secrets | Invalidate leaked credentials | M365/Azure admin portal |
| Deploy WAFs | Block malicious traffic such as webshells | Azure WAF, third-party appliances |
| Restrict admin interface access | Prevent external brute-forcing and abuse | Network security controls |
| Enforce credential rotation policy | Minimize exposure window | Automated scripts, policy enforcement |
| Review logs and hunt threats | Identify ongoing or previous attacks | Unified Audit Logs, SIEM platforms |
Technical Analysis: The Underlying Security Gaps
The Commvault attack raises pressing questions about the architecture of cloud-native SaaS backups, and more broadly, about best practices for managing secrets and identity in sprawling cloud ecosystems.Default Configurations: A Persistent Weakness
One of the most cited contributing factors in major breaches is over-permissive or default configuration of cloud resources. In the case of Commvault Metallic, the applicationâs ability to store and manage application secrets centrally was designed for seamless backup and restoration across multiple customer tenants. However, if these stored secrets are insufficiently segregated or improperly permissioned, one successful breach can âfan outâ access across numerous downstream victims.Service Principals as a Double-Edged Sword
Identity-based authenticationâwhether via Microsoft Entra service principals or OAuth for other public cloud platformsâremains essential to secure, automated operations between cloud services. Yet, these same credentials have become a juicy target for attackers. If secrets are not rotated routinely, or if audit logs are not proactively monitored for anomalous activity, attackers can use them to silently maintain persistent access.CISAâs guidance, requiring organizations to actively monitor and narrow the scope of service principal sign-in, reflects an emerging consensus: identity is the new perimeter, and it must be treated with the same rigor as traditional firewall rules or endpoint protections.
Patch and Response Speed: The Ongoing Race Against Adversaries
The incident also underscores the cruel arithmetic of cloud vulnerability management. Even with a well-publicized vulnerability, patches must be applied instantaneouslyânot simply available for download. The difference between breach and safety is often measured in hours.Federal mandatesâsuch as CISAâs May 19, 2025 deadline for patching CVE-2025-3928âhelp raise the bar, but many private sector organizations still lag in the patch adoption curve, increasing the overall threat window for opportunistic attackers.
Critical Perspective: Strengths, Weaknesses, and the Road Ahead
The rapid response of both Commvault and CISA has, by most accounts, limited the overall impact of this breach. Commvault officials and CISA both emphasize that no backup data was exfiltrated. Business continuity operations are reportedly unaffected. Security communications have been transparent, with Commvault identifying five malicious IP addresses involved in the attack (108.69.148.100, 128.92.80.210, 184.153.42.129, 108.6.189.53, and 159.242.42.20), which can now be used for immediate blocklisting and forensics.However, certain risks persist:
- Long-Term Exposure: The precise dwell time of adversaries within Commvaultâs Azure environment is not fully disclosed. Security experts warn that even after access is cut off, artifacts of the attackersâ presence (such as additional backdoors or exfiltrated secrets) may linger unnoticed for weeks or months.
- Shadow IT and Supply Chain Risk: Organizations increasingly depend on third-party SaaS providers for mission-critical services. If those vendors follow a different or less stringent security baseline, the entire customer base absorbs the downstream risk.
- Credential Stealing and the Identity Perimeter: As the attack illustrates, secrets management is a chronic pain point. Whether itâs hard-coded keys, secrets left in cloud storage, or insufficient monitoring of credential usage, attackers are finding innovative paths around even multi-factor authentication defenses.
- Reputational Impact: The specter of a high-profile breach involving trusted backup solutions may lead some risk-averse organizations to reevaluate their SaaS provider relationships, or to introduce new contractual security demandsâpotentially increasing compliance costs across the industry.
The Future of Cloud SaaS Security: Lessons Learned
This incident, like others in recent memory, vaults cloud SaaS security to the top of strategic agendas for IT and compliance leaders worldwide. Several broad lessons emerge:Zero Trust Gets Real
Security models built around âtrusted zonesâ or âwalled gardensâ are no longer fit for purpose. A true Zero Trust approachâwhere every request, whether from internal systems or external partners, is continuously authenticated and authorizedâprovides the only credible defense against sophisticated, identity-driven attacks.Proactive Threat Intelligence Collaboration
The swift identification and publication of attack indicators by Commvault and CISA provided precious detection time for organizations. However, the gap between âknownâ and âunknownâ is only narrowing through more direct threat intelligence sharing, ideally through automated feeds and industry-specific consortiums that outpace the speed of attacker innovation.Automation, Detection, and Response
Manual review of logs or credentials is too slow for modern cloud attack campaigns. Automated systems that surface anomaliesâwhether in service principal behavior, secret rotation events, or geographic login patternsâare essential. Organizations will increasingly rely on Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) platforms tailored for multi-cloud realities.Integrated Vendor Risk Management
The need for robust security reviews and contractual guarantees from SaaS providers is now more urgent. Organizations must analyze not only their own hardening posture, but also the âblast radiusâ of any vendorâs controls, requiring auditable security practices and transparency around incident response.Continuous Education and Tabletop Exercises
Finally, people remain the ultimate safeguard, or failure point, in cloud security. Regular training, realistic breach simulations, and cross-functional tabletop exercises can mean the difference between rapid containment and business-threatening fallout.Conclusion: Building Resilience for the Next Wave
The revelations around Commvault Metallicâs Azure compromiseâand the broader campaign flagged by CISAâunderscore the dual realities of cloud transformation: immense opportunity, shadowed by persistent and evolving risk. As enterprises accelerate adoption of SaaS solutions, the boundaries of âyour dataâ versus âvendor dataâ blur, and the need for shared, actionable security controls becomes paramount.Organizations cannot afford to treat security posture as a static checklist. Adopting rigorous credential management, conditional access, continuous monitoring, and instant patching must become routine. Meanwhile, transparency and timely threat intelligence sharingâacross vendors, customers, and regulatorsâremain the industryâs best hope to outpace adversaries exploiting cloud at speed and scale.
The Commvault incident may ultimately prove more cautionary than catastrophic, thanks in part to rapid response and clear guidance. But it delivers a timely clarion call: in the world of SaaS, security is not only a feature or a checkboxâit is the very foundation on which digital trust, and business continuity, rests. As threat actors refine their techniques, so too must IT leaders, forging a new culture of resilience that recognizes cloud identity, secrets management, and proactive defense as the pillars of tomorrowâs secure enterprise.
Source: CybersecurityNews CISA Alerts on Threat Actors Targeting Commvaultâs Azure App to Steal Secrets