CISA Alerts on Threat Actors Targeting Commvault’s Azure App to Steal Secrets
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
CISA issued an urgent advisory, warning organizations about ongoing cyber threat activity targeting Commvault’s software-as-a-service (SaaS) cloud applications hosted in Microsoft Azure environments.
Threat actors have successfully accessed client secrets for Commvault’s Metallic Microsoft 365 backup solution, providing unauthorized access to customer M365 environments where Commvault stores application secrets.
This breach represents a broader campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions, highlighting critical vulnerabilities in enterprise cloud security infrastructures.
Nation-State Actors Exploit Zero-Day Vulnerability CVE-2025-3928
The attack campaign centers around exploiting CVE-2025-3928, a critical zero-day vulnerability in Commvault Web Server that was initially discovered in February 2025.
Commvault confirmed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting this vulnerability, which allows remote, authenticated attackers to create and execute webshells on affected Commvault Web Servers.
The vulnerability affects multiple Commvault versions, including 11.36.0 through 11.36.45, 11.32.0 through 11.32.88, 11.28.0 through 11.28.140, and 11.20.0 through 11.20.216. Patches are available in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217, respectively.
CISA added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch agencies to apply necessary patches by May 19, 2025.
Commvault Metallic Breach Exposes M365 Client Secrets
The successful exploitation allowed threat actors to access client secrets for Commvault’s Metallic application, which provides Microsoft 365 backup services to enterprise customers.
This access enabled unauthorized entry into customers’ M365 environments where application secrets are stored by Commvault, potentially affecting thousands of organizations globally.
Commvault has identified specific malicious IP addresses associated with the attack: 108.69.148.100, 128.92.80.210, 184.153.42.129, 108.6.189.53, and 159.242.42.20.
While Commvault maintains that no customer backup data was compromised and business operations remain unaffected, the breach demonstrates sophisticated targeting of cloud service providers to gain lateral access to customer environments.
CISA has issued comprehensive mitigation guidance requiring organizations to implement multiple security controls immediately. Critical recommendations include:
Organizations must also review Entra, sign-in, and unified audit logs while conducting internal threat hunting aligned with incident response policies.
For single-tenant applications, a Microsoft Entra Workload ID Premium License is required to apply conditional access policies to application service principals.
Additional precautionary measures include deploying Web Application Firewalls to detect path-traversal attempts, restricting access to Commvault management interfaces to trusted networks, and establishing policies for credential rotation every 30 days.
CISA emphasizes implementing general M365 security recommendations outlined in the Secure Cloud Business Applications (SCuBA) Project to strengthen overall cloud security postures.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
CISA Alerts on Threat Actors Targeting Commvault’s Azure App to Steal Secrets
Author: Guru BaranCISA issued an urgent advisory, warning organizations about ongoing cyber threat activity targeting Commvault’s software-as-a-service (SaaS) cloud applications hosted in Microsoft Azure environments.
Threat actors have successfully accessed client secrets for Commvault’s Metallic Microsoft 365 backup solution, providing unauthorized access to customer M365 environments where Commvault stores application secrets.
This breach represents a broader campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions, highlighting critical vulnerabilities in enterprise cloud security infrastructures.
Nation-State Actors Exploit Zero-Day Vulnerability CVE-2025-3928
The attack campaign centers around exploiting CVE-2025-3928, a critical zero-day vulnerability in Commvault Web Server that was initially discovered in February 2025.
Commvault confirmed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting this vulnerability, which allows remote, authenticated attackers to create and execute webshells on affected Commvault Web Servers.
The vulnerability affects multiple Commvault versions, including 11.36.0 through 11.36.45, 11.32.0 through 11.32.88, 11.28.0 through 11.28.140, and 11.20.0 through 11.20.216. Patches are available in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217, respectively.
CISA added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch agencies to apply necessary patches by May 19, 2025.
Commvault Metallic Breach Exposes M365 Client Secrets
The successful exploitation allowed threat actors to access client secrets for Commvault’s Metallic application, which provides Microsoft 365 backup services to enterprise customers.
This access enabled unauthorized entry into customers’ M365 environments where application secrets are stored by Commvault, potentially affecting thousands of organizations globally.
Commvault has identified specific malicious IP addresses associated with the attack: 108.69.148.100, 128.92.80.210, 184.153.42.129, 108.6.189.53, and 159.242.42.20.
While Commvault maintains that no customer backup data was compromised and business operations remain unaffected, the breach demonstrates sophisticated targeting of cloud service providers to gain lateral access to customer environments.
CISA has issued comprehensive mitigation guidance requiring organizations to implement multiple security controls immediately. Critical recommendations include:
- Monitoring Microsoft Entra audit logs for unauthorized modifications to service principals
- Implementing conditional access policies that restrict application service principal authentication to approved IP addresses within Commvault’s allowlisted ranges
- Rotating application secrets for Metallic applications and service principals used between February and May 2025.
Organizations must also review Entra, sign-in, and unified audit logs while conducting internal threat hunting aligned with incident response policies.
For single-tenant applications, a Microsoft Entra Workload ID Premium License is required to apply conditional access policies to application service principals.
Additional precautionary measures include deploying Web Application Firewalls to detect path-traversal attempts, restricting access to Commvault management interfaces to trusted networks, and establishing policies for credential rotation every 30 days.
CISA emphasizes implementing general M365 security recommendations outlined in the Secure Cloud Business Applications (SCuBA) Project to strengthen overall cloud security postures.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
