Commvault Zero-Day Exploitation Part of Broader Campaign Targeting SaaS Platforms, Warns CISA

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new warning that the exploitation of a recently patched zero-day vulnerability in Commvault software may be part of a larger coordinated campaign targeting SaaS platforms and cloud environments.

  North America Cyber affairs News   May 26, 2025  Add to Reading List
Commvault Zero-Day Exploitation Part of Broader Campaign Targeting SaaS Platforms, Warns CISA

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new warning that the exploitation of a recently patched zero-day vulnerability in Commvault software may be part of a larger coordinated campaign targeting SaaS platforms and cloud environments.

The vulnerability, CVE-2025-3928, carries a CVSS score of 8.7 and is described as an unspecified flaw that allows remote, authenticated attackers to create and execute webshells, potentially resulting in full system compromise. Commvault patched the issue in late February 2025 after being notified by Microsoft of suspicious activity linked to a nation-state threat actor operating within its Azure environment.

Threat Actor Accessed App Secrets Tied to M365

In an updated advisory released in early May, Commvault confirmed that attackers may have accessed application credentials used by certain customers to authenticate with Microsoft 365 (M365). These secrets, stored by Commvault’s Metallic backup SaaS platform, may have provided unauthorized access to affected customers' cloud environments.

While Commvault emphasized that no customer backup data was compromised, it acknowledged that a small number of clients, primarily those shared with Microsoft, may have been impacted.

CISA Links Activity to Larger SaaS Campaign

According to CISA, the attackers likely leveraged CVE-2025-3928 to access client secrets and pivot into M365 environments, potentially as part of a wider campaign targeting SaaS companies with default configurations or elevated cloud permissions.

CISA and Commvault have released indicators of compromise (IoCs) to help organizations detect possible intrusions and are urging a proactive security posture.

Recommendations for Mitigation and Defense

To counter the threat, CISA advises organizations to:

For Cloud-Hosted Deployments:

  • Review Microsoft Entra (Azure AD) logs, especially for unusual modifications or additions to credentials by Commvault-related service principals.

  • Conduct internal threat hunting using Entra audit, sign-in, and unified audit logs.

  • Limit authentication access for single-tenant apps using conditional access policies that restrict logins to allowlisted IPs.

  • Rotate Metallic and app credentials regularly.

  • Audit service principals for overprivileged roles.

For On-Premises Installations:

  • Restrict access to Commvault’s management interfaces to trusted networks only.

  • Deploy a web application firewall (WAF) to block path traversal and malicious file uploads.

  • Remove unnecessary external access points.

  • Apply all available patches.

  • Monitor for abnormal activity originating from unexpected file directories.

Strategic Outlook

This incident highlights a growing trend of advanced actors targeting SaaS platforms, capitalizing on default security settings and weak access controls. It reinforces the need for organizations using cloud and hybrid solutions to tighten authentication policies, minimize privileges, and stay vigilant for unusual behavior in connected environments.

CISA is continuing its investigation into this threat activity in coordination with Microsoft, Commvault, and other industry partners.