A critical Commvault vulnerability is now being actively exploited in what the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns may be part of a broader offensive against SaaS platforms—particularly those hosted in cloud environments like Azure.
The flaw, tracked as CVE-2025-3928 and carrying a high CVSS score of 8.7, allows remote attackers to deploy and execute malicious webshells, giving them complete control over compromised systems. Commvault quietly issued a patch back in February after Microsoft reported signs of zero-day exploitation by what it suspects to be a state-sponsored threat actor targeting Azure infrastructure.
At first, the compromise seemed limited. But by late April, the issue had escalated: CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling a growing threat.
More recently, Commvault expanded its advisory to warn that threat actors might have gained access to certain application credentials that customers use to integrate Commvault with Microsoft 365 (M365). These credentials could potentially expose connected M365 environments to further attacks.
To mitigate potential damage, Commvault has shared detailed Indicators of Compromise (IoCs) and rotated credentials. The company also bolstered its monitoring systems. So far, only a small group of customers—those shared between Commvault and Microsoft—were reportedly affected. Crucially, the firm insists that customer backup data remains untouched.
CISA, however, has issued a broader warning: the exploitation of CVE-2025-3928 might be just one part of a coordinated campaign targeting cloud applications that run with default settings and elevated privileges. The concern is that attackers could be probing other SaaS platforms for similar weaknesses.
To defend against this threat, organizations using Commvault and M365 are urged to take immediate action. That includes rotating application credentials and secrets, auditing Entra logs for anomalies, reviewing admin access, and enabling conditional access policies. CISA also recommends proactive threat hunting and stronger identity management practices.
For those using on-premise versions of Commvault, the agency suggests limiting access to admin interfaces, blocking path traversal and suspicious file uploads, and applying the latest patches without delay.
With SaaS environments increasingly targeted, CISA’s advisory reinforces a familiar lesson: even trusted backup platforms can become a weak link if misconfigured or unpatched.
