The ongoing exploitation of a Commvault vulnerability that was targeted as a zero-day is likely part of a broader campaign against software-as-a-service (SaaS) solutions, the US cybersecurity agency CISA says.
Tracked as CVE-2025-3928 (CVSS score of 8.7), the unspecified security defect allows remote attackers to create and execute webshells, fully compromising vulnerable instances.
Commvault fixed the bug in late February, warning that it learned from Microsoft that a suspected state-sponsored threat actor had exploited it as a zero-day to hack into its Azure environment. In late April, CISA added the vulnerability to the KEV catalog.
In early May, the company updated its security advisory to warn that threat actors “may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments.”
To help customers hunt for potential compromise, Commvault has provided indicators of compromise (IoCs) associated with the observed activity. It also rotated credentials and strengthened monitoring rules as a remediation action.
The malicious activity, the company has revealed, only impacted a small number of customers it has in common with Microsoft, but did not involve unauthorized access to customer backups stored by Commvault.
According to CISA, the attackers might have exploited CVE-2025-3928 to access client secrets for Commvault’s M365 backup SaaS solution hosted in Azure, resulting in unauthorized access to “Commvault’s customers’ M365 environments that have application secrets stored by Commvault.”
“CISA believes the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions,” the agency notes.
Organizations are advised to monitor Entra audit logs, consider irregular logins as suspicious, conduct internal threat hunting, implement conditional access policies, rotate Commvault Metallic application secrets, rotate application credentials, review administrative privileges, and implement strong M365 security.
For on-premises deployments, organizations should restrict access to Commvault management interfaces, detect and block path-traversal attempts, block suspicious file uploads, apply the necessary patches, and monitor activity from unexpected directories.
Related: Critical Commvault Vulnerability in Attacker Crosshairs
Related: Stolen Credentials Have Turned SaaS Apps Into Attackers’ Playgrounds
Related: Microsoft Purges Dormant Azure Tenants, Rotates Keys to Prevent Repeat Nation-State Hack
Related: Chinese Spies Exploit Ivanti Vulnerabilities Against Critical Sectors
