CyberSecurity news
FlagThis - #commvault
|
CISA@All CISA Advisories
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a potential broader campaign targeting Software-as-a-Service (SaaS) providers. This alert follows the discovery of unauthorized activity within Commvault's Microsoft Azure environment. CISA believes threat actors may have gained access to client secrets for Commvault's Metallic Microsoft 365 (M365) backup SaaS solution hosted in Azure. This access could allow the threat actors to compromise Commvault's customers' M365 environments where application secrets are stored by Commvault.
The suspected campaign exploits default configurations and elevated permissions in cloud applications, making SaaS companies with weak security a prime target. The initial incident involved a zero-day vulnerability, CVE-2025-3928, in Commvault's Web Server, allowing remote, authenticated attackers to create and execute web shells. Commvault confirmed that Microsoft notified them of the unauthorized activity in February 2025, leading to an investigation and remediation efforts. Despite the breach, Commvault assured customers that there was no unauthorized access to their backup data, and they have rotated app credentials for M365 as a preventative measure. CISA has provided recommendations for users and administrators to mitigate such threats, including monitoring Entra audit logs for unauthorized modifications, reviewing Microsoft logs for suspicious activity, and implementing conditional access policies to restrict application service principal authentication to approved IP addresses. They also advise reviewing Application Registrations and Service Principals in Entra, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts. These steps aim to strengthen the security posture of SaaS applications and prevent further exploitation of vulnerabilities. Recommended read:
References :
@industrialcyber.co
//
References:
www.esecurityplanet.com
, Industrial Cyber
A joint cybersecurity advisory has been issued by intelligence and cybersecurity agencies from multiple Western nations, including the United States, the United Kingdom, Germany, and France, warning of an aggressive cyber espionage campaign orchestrated by a Russian military cyber unit. The advisory directly implicates the Russian General Staff Main Intelligence Directorate (GRU) unit 26165, also known as APT28, Fancy Bear, and Forest Blizzard. This group has been actively targeting logistics and technology companies that are involved in providing aid to Ukraine. Their operations, ongoing for over two years, involve infiltrating networks to spy on arms shipments and logistics operations.
The GRU hackers are targeting a range of entities critical to the supply chain supporting Ukraine, including defense contractors, transport hubs like airports and ports, air traffic control systems, maritime operators, and IT service providers. Affected countries include the United States, Germany, Poland, France, Romania, Ukraine, the Netherlands, and others. The attackers not only infiltrate the main target company but also go after partners and connected firms, abusing trust relationships to spread deeper. In one instance, hackers stole credentials, gaining access to sensitive information on shipments, such as train schedules and shipping manifests. The Russian hackers are employing a mix of both established and novel tactics to breach security. These tactics include credential guessing, brute-force attacks, and spearphishing emails disguised as legitimate login pages from Western email platforms. The GRU unit is also known for exploiting IP cameras in Ukraine and bordering NATO countries, likely to gather intelligence and monitor activities. Cybersecurity agencies urge logistics entities and technology companies to enhance monitoring, proactively hunt for known tactics and indicators of compromise, and fortify their network defenses, presuming they are targets. Recommended read:
References :
CISA@All CISA Advisories
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding cyber threat activity targeting Commvault's SaaS Cloud Application (Metallic), which is hosted in Microsoft Azure. CISA believes this activity may be part of a broader campaign aimed at SaaS companies exploiting default configurations and elevated permissions in their cloud applications. This warning comes after Commvault disclosed an incident where a nation-state threat actor, later identified as Silk Typhoon, gained unauthorized access to their Azure environment in February 2025, exploiting a zero-day vulnerability (CVE-2025-3928) in the Commvault Web Server.
Commvault confirmed that the objective of the attackers was to acquire app credentials that could be used to breach companies' M365 environments. While Commvault has taken remedial actions, including rotating app credentials for M365, they emphasized that there has been no unauthorized access to customer backup data. The zero-day vulnerability, now added to CISA's Known Exploited Vulnerabilities Catalog, allows remote, authenticated attackers to create and execute web shells, posing a significant risk to affected systems. The vulnerability requires authenticated credentials in order to make use of it. To mitigate these threats, CISA recommends that users and administrators closely monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications. They also advise reviewing Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conducting internal threat hunting. Additionally, CISA suggests implementing conditional access policies that limit authentication of application service principals to approved IP addresses within Commvault's allowlisted range, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts and suspicious file uploads. For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault's allowlisted range of IP addresses. Recommended read:
References :
@arcticwolf.com
//
References:
Arctic Wolf
, malware.news
Commvault has issued updated advisories regarding a critical vulnerability, CVE-2025-34028, affecting Commvault Command Center. The flaw allows for remote code execution, posing a significant risk to organizations utilizing the platform. Initial patches were released, but Commvault has since clarified that simply being on versions 11.38.20 or 11.38.25 is not enough to fully remediate the vulnerability. Specific updates within those versions are required to effectively address the security gap, an update which was clarified on May 7, 2025.
The Cybersecurity and Infrastructure Security Agency (CISA) has added the Commvault Command Center vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This designation underscores the severity of the flaw and the potential for active exploitation, prompting immediate action from organizations to apply the necessary updates. Fortunately, Commvault seems to have resolved the issue where the "Upgrade software" option was not working for unregistered systems. It is now possible to obtain the necessary fixes for CVE-2025-34028 by clicking "Upgrade now," even without being registered with Commvault. However, the "Check updates" button in the "Download or copy software" section is still malfunctioning. It incorrectly reports systems as "Up-to-date" even when they are not fully patched against CVE-2025-34028. Users must ensure they have the appropriate specific updates within versions 11.38.20 or 11.38.25 as mentioned in Commvault's clarified advisory to achieve full remediation. Staying vigilant, monitoring security advisories, and diligently applying patches and updates are crucial for maintaining a robust security posture and mitigating potential cyber threats. Recommended read:
References :
@documentation.commvault.com
//
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-34028, has been discovered in Commvault Command Center. This security flaw, rated a severity of 9.0 out of 10, allows unauthenticated remote attackers to execute arbitrary code on affected installations. The vulnerability stems from a path traversal issue that can lead to a complete compromise of the Command Center environment. Commvault acknowledged the flaw in an advisory released on April 17, 2025, highlighting the potential for attackers to gain control of the system without requiring authentication.
Commvault Command Center versions 11.38.0 through 11.38.19 of the 11.38 Innovation Release are impacted by this vulnerability. The root cause lies within the "deployWebpackage.do" endpoint, which is susceptible to a pre-authenticated Server-Side Request Forgery (SSRF) attack. This is because there is no filtering as to what hosts can be communicated with. Attackers can exploit this by sending an HTTP request to the vulnerable endpoint, causing the Commvault instance to retrieve a malicious ZIP file from an external server. Once retrieved, the contents of the ZIP file are unzipped into a temporary directory under the attacker's control. The vulnerability was discovered and reported by Sonny Macdonald, a researcher at watchTowr Labs, on April 7, 2025. watchTowr published technical details and a proof-of-concept (PoC) exploit on April 24, 2025, increasing the urgency for users to apply the necessary patches. Commvault has addressed the vulnerability in versions 11.38.20 and 11.38.25, urging all users to upgrade immediately. The vulnerability was last modified by NIST’s National Vulnerability Database on April 23. watchTowr has also created a Detection Artefact Generator that organizations can use to determine if their instance is vulnerable to the vulnerability. Recommended read:
References :
|