CISA flags Commvault zero-day as part of wider SaaS attack campaign

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned about threat actors abusing Commvault’s SaaS cloud application, Metallic, to access its clients’ critical application secrets.

According to a CISA advisory, threat actors may have accessed client secrets from Commvault’s Metallic Microsoft 365 (M365) backup solution, hosted in Microsoft Azure. This, in turn, provided them unauthorized access to customers’ M365 environments that have application secrets stored by Commvault.

The unauthorized access to secrets for Commvault’s M365 was achieved through a zero-day exploit. Microsoft warned Commvault in February about an unspecified, high-severity vulnerability (tracked as CVE-2025-3928) affecting Commvault Web Server and that a nation-state actor was actively exploiting it to gain access to Azure environments.

Thomas Richards, infrastructure security practice director at Black Duck, said SaaS workflows are inherently vulnerable. “While SaaS solutions take the administrative load off organizations when it comes to hosting and infrastructure concerns, the flip side of this is that organizations don’t have a way to secure or control those environments,” he said. “When Commvault was compromised, the victims weren’t even aware of a breach.”

Why CVE-2023-3928 matters to SaaS security?

In the advisory, CISA noted that it suspects the exploitation of CVE-2025-3928 is part of a wider campaign targeting SaaS applications with default settings and high-level permissions.

Commenting on CISA’s note, James Maude, Field CTO at BeyondTrust, said, “This highlights the risks involved in allowing third parties privileged access into your environment, their breach becomes your breach.”

“While many organizations have robust controls for issuing and managing the access of human accounts used by contractors and 3rd parties, the story is often very different when it comes to non-human identities and secrets that enable machine-to-machine interactions,” Maude added.

Based on Commvault’s investigation, the nation-state actors obtained, through zero-day abuse of CVE-2025-3928, a subset of app credentials that certain Commvault customers used to authenticate their M365 environments.

CISA calls for swift patching

The high-severity flaw (CVSS 8.7 out of 10) affecting Commvault Web Server allowed bad actors to create and execute webshells within compromised environments. On 28 April 2025, CISA added the three vulnerabilities to its Known Exploited Vulnerabilities Catalog (KEV), giving FCEB agencies until 19 May 2025 to patch their systems under the directive to remediate dangerous vulnerabilities across civilian agencies.

The company fixed the flaw promptly after being flagged by Microsoft in February. Fixes were rolled out in Commvault versions 11.36.46, 11.32.89,11.28.141, and 11.20.217.

CISA recommended that organizations immediately apply patches along with additional mitigations, which include monitoring and reviewing Microsoft Entra audit logs, Entra sign-in, and unified audit logs, implementing a conditional access policy to limit authentication within single-tenant applications, and rotating application secrets and credentials on Commvault Metallic applications.

Omri Weinberg, CEO at DoControl, connects the incident to a broader trend. “Attackers are pivoting from endpoint and network-based attacks to exploiting over-permissioned SaaS environments and misconfigured cloud applications,” Weinberg said. “Security teams need to treat SaaS with the same rigor as traditional infrastructure – starting with strong access governance, continuous monitoring of third-party app integrations, and limiting the blast radius through least privilege access.”

Internal investigation did not reveal any unauthorized access to customer backup data that Commvault stores and protects, the company had said in a statement in May, adding that it expects no material impact on Commvault’s business operations or its ability to deliver products and services.