Rising Threats to Commvault Applications in Microsoft Azure

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning this week regarding nation-state threat actors targeting Commvault applications hosted on Microsoft Azure. This threat is viewed as part of a larger scheme aimed at exploiting Software-as-a-Service (SaaS) applications, prompting significant concern among industry leaders and cybersecurity experts alike.

Details Surrounding the CISA Advisory

On May 22, CISA released an advisory that elaborated on a previous warning from Commvault earlier this month. Both agencies highlighted that these attackers have been leveraging CVE-2025-3928 to compromise Commvault applications within their Azure cloud environment. Their goal appears to be gaining unauthorized access to customer Microsoft 365 (M365) environments.

CISA’s advisory indicates that the threat to Commvault’s M365 applications may be indicative of a broader campaign targeting various SaaS platforms with default configurations and elevated permissions. While CISA does not specify which other SaaS applications could be at risk, both CISA and Commvault have issued guidance aimed at safeguarding Commvault and M365 environments, with some measures likely applicable to additional SaaS offerings.

Insights on the CommVault M365 Threat Campaign

CISA’s advisory revealed that these threat actors might have gained access to client secrets associated with Commvault’s Metallic Microsoft 365 backup solution hosted in Azure. This breach has potentially allowed unauthorized access to Commvault customers’ M365 environments, where application secrets are stored.

In an update from May 4, Commvault acknowledged that the threat actor could have accessed a limited number of app credentials that certain customers use to authenticate their M365 environments. In response to this incident, Commvault has initiated several remedial measures, including rotating credentials and providing recommended actions for their customers.

Protective Measures for Commvault and M365

CISA has recommended that affected organizations take a proactive stance. This includes applying necessary updates and patches, as well as adhering to detailed mitigation strategies and best practices. Some of these recommendations encompass:

• Monitoring Entra Audit Logs: Organizations should closely observe audit logs for unauthorized modifications or new credentials to service principals initiated by Commvault applications. Any unacceptable deviations from usual login behaviors should be treated with suspicion.

• Reviewing Microsoft Entra Logs: It’s advisable to examine Entra audit, Entra sign-in, and unified audit logs periodically and conduct internal threat hunting when anomalies are detected.

• Implementing Conditional Access Policies: For single-tenant applications, establishing a conditional access policy can help limit authentication of application service principals to an approved list of IP addresses within Commvault’s specified range. Note that these conditional access policies require a Microsoft Entra Workload ID Premium License.

• Credential Management: Customers are encouraged to implement a policy for regularly rotating credentials, at least every 30 days.

• Scrutinizing Application Registrations: Reviewing Application Registrations and Service Principals in Entra for administrative consents that grant higher privileges is crucial for minimizing risks.

• M365 Security Recommendations: Following the security recommendations outlined in CISA’s Secure Cloud Business Applications (SCuBA) initiative can be beneficial for overall protection.

• Restricting Access: Where feasible, limiting access to Commvault management interfaces to trusted networks and systems enhances a defense-in-depth strategy.

• Detecting Suspicious Activity: Deploying Web Application Firewalls to detect and block path-traversal attempts and unwanted file uploads is essential. Additionally, removing external access to Commvault applications adds another layer of security.

• Monitoring Directory Activity: Keeping an eye on activity from unexpected directories, particularly those accessible via the web, can help avert potential breaches.

Addressing Malicious Activity

Commvault has also released a list of IP addresses linked to the malicious activities for clients to consider blocking. These IPs include:

• 69.148.100
• 92.80.210
• 153.42.129
• 6.189.53
• 223.17.243
• 242.42.20

By taking these recommended actions, organizations can bolster their defenses against the ongoing threats targeting Commvault applications and other SaaS products. This collaborative effort between CISA and Commvault aims to ensure a more secure operational environment in the complex landscape of cloud technologies and services.