CyberSecurity news
FlagThis
CISA@All CISA Advisories
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding cyber threat activity targeting Commvault's SaaS Cloud Application (Metallic), which is hosted in Microsoft Azure. CISA believes this activity may be part of a broader campaign aimed at SaaS companies exploiting default configurations and elevated permissions in their cloud applications. This warning comes after Commvault disclosed an incident where a nation-state threat actor, later identified as Silk Typhoon, gained unauthorized access to their Azure environment in February 2025, exploiting a zero-day vulnerability (CVE-2025-3928) in the Commvault Web Server.
Commvault confirmed that the objective of the attackers was to acquire app credentials that could be used to breach companies' M365 environments. While Commvault has taken remedial actions, including rotating app credentials for M365, they emphasized that there has been no unauthorized access to customer backup data. The zero-day vulnerability, now added to CISA's Known Exploited Vulnerabilities Catalog, allows remote, authenticated attackers to create and execute web shells, posing a significant risk to affected systems. The vulnerability requires authenticated credentials in order to make use of it.
To mitigate these threats, CISA recommends that users and administrators closely monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications. They also advise reviewing Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conducting internal threat hunting. Additionally, CISA suggests implementing conditional access policies that limit authentication of application service principals to approved IP addresses within Commvault's allowlisted range, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts and suspicious file uploads. For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault's allowlisted range of IP addresses.
ImgSrc: www.csoonline.c
References :
Commvault confirmed that the objective of the attackers was to acquire app credentials that could be used to breach companies' M365 environments. While Commvault has taken remedial actions, including rotating app credentials for M365, they emphasized that there has been no unauthorized access to customer backup data. The zero-day vulnerability, now added to CISA's Known Exploited Vulnerabilities Catalog, allows remote, authenticated attackers to create and execute web shells, posing a significant risk to affected systems. The vulnerability requires authenticated credentials in order to make use of it.
To mitigate these threats, CISA recommends that users and administrators closely monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications. They also advise reviewing Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conducting internal threat hunting. Additionally, CISA suggests implementing conditional access policies that limit authentication of application service principals to approved IP addresses within Commvault's allowlisted range, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts and suspicious file uploads. For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault's allowlisted range of IP addresses.
ImgSrc: www.csoonline.c
Share:
References :
- www.commvault.com: Commvault blogs on a customer security update.
- The Hacker News: TheHackerNews post about broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs
- The Register - Security: CISA says SaaS providers in firing line after Commvault zero-day Azure attack
- thecyberexpress.com: Nation-state threat actors targeting Commvault applications hosted in Microsoft Azure may be part of a broader campaign targeting Software-as-a-Service (SaaS) applications, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in an advisory this week.
- www.scworld.com: CISA warns of attacks on Commvault’s Microsoft Azure environment
- malware.news: China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud environments, person familiar says
- bsky.app: Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic) | CISA
- www.nextgov.com: China-linked Silk Typhoon hackers accessed Commvault cloud environments, person familiar says
- www.techradar.com: Commvault attack may put SaaS companies across the world at risk, CISA warns
- www.csoonline.com: CISA flags Commvault zero-day as part of wider SaaS attack campaign
- cyble.com: CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform
- cyble.com: CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform
Classification:
- HashTags: #SaaS #CloudSecurity #CISA
- Company: Commvault, CISA
- Target: Commvault's customers’ M365 environments
- Product: Metallic
- Feature: SaaS Cloud Application
- Type: DataBreach
- Severity: Medium