The US Cybersecurity and Infrastructure Agency (CISA) showed that Commvault monitors cyber -vault activities aimed at the Microsoft Azure Cloud applications.
“Actors threats can access customers’ secrets for Microsoft 365 (M365) Commvault (Metallic) Microsoft 365 (M365) Software Solution (SAAS) held at Azure,” Agency – Note.
“This gave the subject threats to the unauthorized access to the M365 COMMVAULT clients that have the secrets of the app stored by Commvault.”
Further, CISA noted that the activity could be part of a wider company aimed at various software providers (SAAS) with default configurations and increased permits.
The Advisory Company comes a few weeks after Commvault found that Microsoft reported the company in February 2025 of unauthorized activity by the actor on the threat of a nation -state.
Incident led to revelation that subjects threatens exploit vulnerability of the zero day (Cve-2025-3928)), an uncertain lack of the Commvault web -server that allows a remote, authentified attacker to create and perform web.
“Based on industry experts, this actor threats uses sophisticated methods to try access to M365 customer environment,” Commvault – Note In the ad. “This actor threats can access the subsidies of the App Appeal, which some Commvault customers use to authenticate their M365 conditions.”
Commvault said he had taken several correction actions, including the powers of turning applications for M365, but stressed that there was no unauthorized access to customer backup data.
To mitigate such threats, CISA recommends users and administrators to follow the recommendations below –
- Monitoring Magazines on audit Entra for unauthorized modifications or accounts for service directors initiated by Commvault applications/Directors
- Review Microsoft Magazines (Entra Audit, Entra, entered
- For single tenant applications, implement conditional access policies that restricts the authentication of the Application Director to the approved IP -Adress, which is listed in the Allist IP list, listed in the Allist list.
- View the list of registrations and service directors in Entra with consent to higher privileges than business need
- Limit Access to Commvault Management Interfaces To Reliable Networks and Administrative Systems
- Identify and lock the attempts of the traveled path and download suspicious files by deploying web applications and deleting external access to Commvault applications
Cisa who added Cve-2025-3928 At the end of April 2025, the well -known exploited vulnerable catalog said she continued to investigate the harmful activities in cooperation with partner organizations.
