CyberSecurity news
FlagThis
CISA@All CISA Advisories
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a potential broader campaign targeting Software-as-a-Service (SaaS) providers. This alert follows the discovery of unauthorized activity within Commvault's Microsoft Azure environment. CISA believes threat actors may have gained access to client secrets for Commvault's Metallic Microsoft 365 (M365) backup SaaS solution hosted in Azure. This access could allow the threat actors to compromise Commvault's customers' M365 environments where application secrets are stored by Commvault.
The suspected campaign exploits default configurations and elevated permissions in cloud applications, making SaaS companies with weak security a prime target. The initial incident involved a zero-day vulnerability, CVE-2025-3928, in Commvault's Web Server, allowing remote, authenticated attackers to create and execute web shells. Commvault confirmed that Microsoft notified them of the unauthorized activity in February 2025, leading to an investigation and remediation efforts. Despite the breach, Commvault assured customers that there was no unauthorized access to their backup data, and they have rotated app credentials for M365 as a preventative measure.
CISA has provided recommendations for users and administrators to mitigate such threats, including monitoring Entra audit logs for unauthorized modifications, reviewing Microsoft logs for suspicious activity, and implementing conditional access policies to restrict application service principal authentication to approved IP addresses. They also advise reviewing Application Registrations and Service Principals in Entra, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts. These steps aim to strengthen the security posture of SaaS applications and prevent further exploitation of vulnerabilities.
ImgSrc: www.csoonline.c
References :
The suspected campaign exploits default configurations and elevated permissions in cloud applications, making SaaS companies with weak security a prime target. The initial incident involved a zero-day vulnerability, CVE-2025-3928, in Commvault's Web Server, allowing remote, authenticated attackers to create and execute web shells. Commvault confirmed that Microsoft notified them of the unauthorized activity in February 2025, leading to an investigation and remediation efforts. Despite the breach, Commvault assured customers that there was no unauthorized access to their backup data, and they have rotated app credentials for M365 as a preventative measure.
CISA has provided recommendations for users and administrators to mitigate such threats, including monitoring Entra audit logs for unauthorized modifications, reviewing Microsoft logs for suspicious activity, and implementing conditional access policies to restrict application service principal authentication to approved IP addresses. They also advise reviewing Application Registrations and Service Principals in Entra, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts. These steps aim to strengthen the security posture of SaaS applications and prevent further exploitation of vulnerabilities.
ImgSrc: www.csoonline.c
Share:
References :
- The Hacker News: TheHackerNews post about broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs
- www.commvault.com: Commvault blogs on a customer security update.
- The Register - Security: CISA says SaaS providers in firing line after Commvault zero-day Azure attack
- thecyberexpress.com: Nation-state threat actors targeting Commvault applications hosted in Microsoft Azure may be part of a broader campaign targeting Software-as-a-Service (SaaS) applications, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in an advisory this week.
- www.scworld.com: CISA warns of attacks on Commvault’s Microsoft Azure environment
- malware.news: China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud environments, person familiar says
- bsky.app: Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic) | CISA
- www.nextgov.com: China-linked Silk Typhoon hackers accessed Commvault cloud environments, person familiar says
- www.techradar.com: Commvault attack may put SaaS companies across the world at risk, CISA warns
- www.csoonline.com: The US Cybersecurity and Infrastructure Security Agency (CISA) has warned about threat actors abusing Commvault’s SaaS cloud application, Metallic, to access its clients’ critical application secrets.
- cyble.com: CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform
- cyble.com: CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform