- Nation-state hackers are abusing a Commvault zero-day to target SaaS companies
- CISA is warning users to patch their systems
- A large-scale campaign is currently ongoing, it was said
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning the recent breach at Commvault could put many Software-as-a-Service (SaaS) providers at risk.
In a recently published security advisory, the agency said the attack is being monitored, and urged Commvault’s customers to mitigate possible risks.
Commvault’s flagship product, Metallic. is a cloud-based SaaS data protection platform that provides secure backup and recovery for Microsoft 365, endpoints, VMs, databases, and other workloads. It is all hosted on Microsoft Azure, and CISA says unnamed threat actors “may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 backup SaaS solution.”
“This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault.”
At the same time, Commvault published a blog post in which it said that Microsoft reached out to warn about an ongoing state-sponsored cyberattack.
The company confirmed a “handful of customers” were targeted through a zero-day vulnerability tracked as CVE-2025-3928, an unspecified flaw in Commvault Web Server that can be exploited by a remote, authenticated attacker.
CISA added it to its catalog of known exploited vulnerabilities (KEV) on April 28, giving Federal Civilian Executive Branch (FCEB) agencies a three-week deadline to patch things up. The bug was fixed in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms.
“CISA believes the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions,” the agency added in the advisory.
The agency has also made a list of mitigations that companies should follow to minimize the chances of getting struck. These include monitoring Entra audit logs, reviewing Microsoft logs, reviewing the list of Application Registrations and Service Principles in Entra, and more. The entire list can be found on this link.
Via The Register
Leave a Comment
Your email address will not be published. Required fields are marked *