Threat actor targeting Commvault SaaS cloud application

CISA issued an alert on May 22 2025 warning that threat actors had compromised Commvault's Azure-hosted Metallic SaaS backup platform. The attackers specifically targeted and accessed client secrets that Commvault customers use to protect their Microsoft 365 (M365) backups. By obtaining these secrets, the threat actors could potentially access affected customers' M365 environments, manipulate service principal configurations, and gain unauthorized access to business-critical data including email, SharePoint, and OneDrive content.

‍

Attack Methodology

Initial access: Exploitation of CVE‑2025‑3928 on Commvault Web Server to deploy web shells inside Commvault’s Azure environment.

‍

What was exposed: A subset of stored app credentials (client secrets) that certain customers use for Metallic‑managed M365 backups.

‍

CISA believes this activity is part of a larger wave of attacks abusing default SaaS configurations and over‑privileged service principals across multiple vendors.

‍

Recommended Actions

Threat hunting

• Review Microsoft Entra audit, sign‑in, and unified logs for any unauthorized addition or modification of credentials linked to Commvault service principals.
• Flag sign‑ins outside normal schedules or from known malicious IPs:
  
  • 108.69.148[.]100
  • 128.92.80[.]210
  • 184.153.42[.]129
  • 108.6.189[.]53
  • 154.223.17[.]243
  • 159.242.42[.]20
    

‍

Rotate credentials

• Immediately rotate M365 app secrets used by Commvault Metallic and set a 30‑day (or shorter) rotation policy going forward
• For single‑tenant apps, revalidate scopes to enforce least‑privilege permissions.

‍

Conditional Access

• Apply Conditional Access policies restricting Commvault service‑principal logins to Commvault’s allow‑listed IP ranges (Entra Workload ID Premium required).

‍

Patch & harden

• Apply Commvault patches addressing CVE‑2025‑3928 and follow updated hardening guides (Article 87661).
• Remove external access to legacy Commvault web modules where possible.

‍

Timeline

• Feb 20 2025: Microsoft alerts Commvault to unauthorized activity.
• Apr 2025: Microsoft provides additional threat intel; Commvault updates advisory.
• May 22 2025: CISA issues public advisory; CVE‑2025‑3928 added to KEV catalog.

‍

Summary

Stolen application secrets can give attackers privileged, API‑level access to M365 dat often without triggering user sign‑in alerts. Immediate credential rotation, strict Conditional Access, and vigilant log monitoring are critical to contain potential compromise and prevent follow‑on SaaS supply‑chain attacks.

‍

References

• ‍https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic‍
• https://kb.commvault.com/article/87661‍
• https://www.commvault.com/blogs/customer-security-update