The US Cybersecurity and Infrastructure Security Agency (CISA) announced Thursday that Commvault is monitoring cyber threat activity targeting applications hosted in Microsoft Azure Cloud environments.
“The threat actor may have accessed the client secret for the Commvault (Metallic) Microsoft 365 (M365) Backup Software (SaaS) solution.
“This has led to a threat to unauthorized access to the M365 environment of Commvault customers, which has the secrets of the applications they store.”
CISA further noted that this activity could be part of a broader campaign targeting cloud infrastructures from various software (SAAS) providers with default configurations and high privileges.
The consultation comes just weeks after Commvault revealed that Microsoft notified the company in February 2025 of unauthorized activities caused by nation-state threat active within the Azure environment.
The incident discovered that threat actors were exploiting Zero Day Vulnerability (CVE-2025-3928).
“Based on industry experts, this threat actor will use sophisticated techniques to try to access the customer M365 environment,” Commvault said in the announcement. “This threat actor may have accessed a subset of the app credentials that a particular Commvault customer uses to authenticate the M365 environment.”
Commvault said it took several corrective actions, including rotating app credentials on the M365, but emphasized that there was no unauthorized access to customer backup data.
To mitigate such threats, CISA recommends that users and administrators follow the guidelines below:
Monitor ENTRA Audit Logs for unauthorized changes or additional entitlements to service principals initiated by Commvault Applications/Service Principals Microsoft Logs (ENTRA Audit, ENTRA Sign-in, Uniform Audit Log), and enforce internal threat hunting for single tenant apps, restrict conditional access policies. ENTRA’s application registration and service principal list allows businesses to trust access to the Commvault Management interface with management consent for higher privileges than business.
CISA, which added CVE-2025-3928 to its known exploited vulnerability catalog in late April 2025, said it continues to investigate malicious activities in collaboration with partner organizations.
Source link
