The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a warning regarding cyber threat activities targeting applications hosted within Microsoft Azure environments. This alert highlights a significant incident involving Commvault, a data protection and information management company, whose Microsoft 365 (M365) backup Software-as-a-Service (SaaS) solution, Metallic, was compromised.
According to CISA, threat actors may have accessed client secrets associated with Commvault’s Metallic M365 backup service. This unauthorized access potentially allowed attackers to infiltrate Commvault’s customers’ M365 environments, particularly those with application secrets stored by Commvault. The agency emphasized that this activity could be part of a broader campaign targeting various SaaS providers’ cloud infrastructures, especially those with default configurations and elevated permissions.
Incident Overview
In February 2025, Microsoft notified Commvault of unauthorized activity by a nation-state threat actor within its Azure environment. Subsequent investigations revealed that the attackers exploited a zero-day vulnerability, identified as CVE-2025-3928, in the Commvault Web Server. This flaw enabled remote, authenticated attackers to create and execute web shells, providing a gateway for further malicious activities.
Commvault acknowledged that the sophisticated techniques employed by the threat actor aimed to gain access to customer M365 environments. The company admitted that a subset of application credentials used by certain customers to authenticate their M365 environments might have been accessed. However, Commvault assured that there was no unauthorized access to customer backup data.
Mitigation Measures
In response to the incident, Commvault implemented several remedial actions, including rotating application credentials for M365 to prevent further unauthorized access. To assist organizations in mitigating similar threats, CISA recommends the following measures:
1. Monitor Entra Audit Logs: Regularly review Entra audit logs for any unauthorized modifications or additions of credentials to service principals initiated by Commvault applications or service principals.
2. Conduct Internal Threat Hunting: Analyze Microsoft logs, including Entra audit, Entra sign-in, and unified audit logs, to identify any suspicious activities within the organization’s environment.
3. Implement Conditional Access Policies: For single-tenant applications, establish conditional access policies that restrict authentication of an application service principal to approved IP addresses within Commvault’s allowlisted range.
4. Review Application Registrations and Service Principals: Assess the list of application registrations and service principals in Entra to ensure they do not have higher privileges than necessary for business operations.
5. Restrict Access to Management Interfaces: Limit access to Commvault management interfaces to trusted networks and administrative systems to reduce the risk of unauthorized access.
6. Deploy Web Application Firewalls (WAF): Implement WAFs to detect and block path-traversal attempts and suspicious file uploads. Additionally, remove external access to Commvault applications to minimize exposure.
Broader Implications
This incident underscores the growing threat landscape targeting SaaS providers and their cloud infrastructures. Cybercriminals are increasingly exploiting misconfigurations and vulnerabilities within cloud environments to gain unauthorized access to sensitive data. Organizations must remain vigilant and proactive in securing their cloud-based applications and services.
CISA’s inclusion of CVE-2025-3928 in its Known Exploited Vulnerabilities Catalog highlights the severity of this vulnerability and the importance of timely patching and remediation efforts. The agency continues to collaborate with partner organizations to investigate and address malicious activities targeting cloud infrastructures.
Conclusion
The recent alert from CISA serves as a critical reminder for organizations to assess and strengthen their cloud security postures. By implementing the recommended mitigation measures and maintaining continuous monitoring, organizations can better protect themselves against evolving cyber threats targeting SaaS applications and cloud environments.
