The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment.
“Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure,” the agency said.
“This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault.”
CISA further noted that the activity may be part of a broader campaign targeting various software-as-a-service (SaaS) providers’ cloud infrastructures with default configurations and elevated permissions.
The advisory comes weeks after Commvault revealed that Microsoft notified the company in February 2025 of unauthorized activity by a nation-state threat actor within its Azure environment.
The incident led to the discovery that the threat actors had been exploiting a zero-day vulnerability (CVE-2025-3928), an unspecified flaw in the Commvault Web Server that enables a remote, authenticated attacker to create and execute web shells.
“Based on industry experts, this threat actor uses sophisticated techniques to try to gain access to customer M365 environments,” Commvault said in an announcement. “This threat actor may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments.”
Commvault said it has taken several remedial actions, including rotating app credentials for M365, but emphasized that there has been no unauthorized access to customer backup data.
To mitigate such threats, CISA is recommending that users and administrators follow the below guidelines –
- Monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications/service principals
- Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct internal threat hunting
- For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault’s allowlisted range of IP addresses
- Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than the business need
- Restrict access to Commvault management interfaces to trusted networks and administrative systems
- Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications
CISA, which added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalog in late April 2025, said it’s continuing to investigate the malicious activity in collaboration with partner organizations.
