CISA@All CISA Advisories
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a potential broader campaign targeting Software-as-a-Service (SaaS) providers. This alert follows the discovery of unauthorized activity within Commvault's Microsoft Azure environment. CISA believes threat actors may have gained access to client secrets for Commvault's Metallic Microsoft 365 (M365) backup SaaS solution hosted in Azure. This access could allow the threat actors to compromise Commvault's customers' M365 environments where application secrets are stored by Commvault.
The suspected campaign exploits default configurations and elevated permissions in cloud applications, making SaaS companies with weak security a prime target. The initial incident involved a zero-day vulnerability, CVE-2025-3928, in Commvault's Web Server, allowing remote, authenticated attackers to create and execute web shells. Commvault confirmed that Microsoft notified them of the unauthorized activity in February 2025, leading to an investigation and remediation efforts. Despite the breach, Commvault assured customers that there was no unauthorized access to their backup data, and they have rotated app credentials for M365 as a preventative measure. CISA has provided recommendations for users and administrators to mitigate such threats, including monitoring Entra audit logs for unauthorized modifications, reviewing Microsoft logs for suspicious activity, and implementing conditional access policies to restrict application service principal authentication to approved IP addresses. They also advise reviewing Application Registrations and Service Principals in Entra, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts. These steps aim to strengthen the security posture of SaaS applications and prevent further exploitation of vulnerabilities. References :
Classification:
CISA@All CISA Advisories
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding cyber threat activity targeting Commvault's SaaS Cloud Application (Metallic), which is hosted in Microsoft Azure. CISA believes this activity may be part of a broader campaign aimed at SaaS companies exploiting default configurations and elevated permissions in their cloud applications. This warning comes after Commvault disclosed an incident where a nation-state threat actor, later identified as Silk Typhoon, gained unauthorized access to their Azure environment in February 2025, exploiting a zero-day vulnerability (CVE-2025-3928) in the Commvault Web Server.
Commvault confirmed that the objective of the attackers was to acquire app credentials that could be used to breach companies' M365 environments. While Commvault has taken remedial actions, including rotating app credentials for M365, they emphasized that there has been no unauthorized access to customer backup data. The zero-day vulnerability, now added to CISA's Known Exploited Vulnerabilities Catalog, allows remote, authenticated attackers to create and execute web shells, posing a significant risk to affected systems. The vulnerability requires authenticated credentials in order to make use of it. To mitigate these threats, CISA recommends that users and administrators closely monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications. They also advise reviewing Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conducting internal threat hunting. Additionally, CISA suggests implementing conditional access policies that limit authentication of application service principals to approved IP addresses within Commvault's allowlisted range, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts and suspicious file uploads. For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault's allowlisted range of IP addresses. References :
Classification:
|