The United States' Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory after threat actors mayve have gained unauthorised access to Commvault' services.
This may potentially include multiple customer environments being compromised through the company's Microsoft 365 backup solution.
CISA said the attackers accessed client secrets for Commvault's Metallic software-as-a-service platform, which is hosted on Microsoft Azure.
This breach provided threat actors with unauthorised entry to customers' Microsoft 365 environments where Commvault stored application secrets.
The incident appears to form part of a wider cyber campaign targeting various software-as-a-service companies' cloud applications that use default configurations and elevated permissions.
CISA's warning suggests the attack represents a systematic approach rather than an isolated breach.
Commvault has acknowledged the security incident by a nation-state threat actor, and has been monitoring the threat activity targeting applications in its Microsoft Azure cloud environment.
"Our investigation reveals there has been no unauthorised access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services," Commvault said on May 4, US time.
CISA has outlined specific mitigation steps that organisations using Commvault's services must implement immediately.
These include monitoring Microsoft Entra audit logs for unauthorised modifications to service credentials and treating any deviations from regular login schedules as suspicious activity.
Customers with single tenant applications should implement conditional access policies limiting authentication to approved IP addresses within Commvault's allowlisted range.
However, this protection requires a Microsoft Entra Workload ID Premium License, which comes at additional cost.
For customers who control their own application secrets, CISA recommends rotating credentials on Commvault Metallic applications and service principals used between February and May 2025.
The agency suggests establishing policies for regular credential rotation at least every 30 days.
Organisations should also review their Application Registrations and Service Principals in Entra, particularly those with administrative consent for higher privileges than necessary for business operations.
The security concerns extend beyond cloud services to on-premises software versions.
CISA advises restricting access to Commvault management interfaces to trusted networks and administrative systems where technically feasible.
Companies should deploy Web Application Firewalls (WAFs) to detect and block path-traversal attempts and suspicious file uploads, whilst removing external access to Commvault applications.
Monitoring activity from unexpected directories, particularly web-accessible paths, has become essential.
CISA has added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalogue and continues investigating the malicious activity alongside partner organisations.
The agency suggests establishing policies for regular credential rotation at least every 30 days.
-1.jpg&w=100&c=1&s=0)
