CISA says SaaS providers in firing line after Commvault zero-day Azure attack
The Cybersecurity and Infrastructure Security Agency (CISA) is warning that SaaS companies are under fire from criminals on the prowl for cloud apps with weak security.
Apps with default configurations and elevated permissions are the aim of these attacks, although the US agency did not attribute the activity to a specific group in a message issued this week.
However, the warning follows an advisory published by data security biz Commvault earlier this month, which revealed unauthorized activity was detected in its Azure environments.
Danielle Sheer, chief trust officer at Commvault, said in a blog post that Microsoft contacted the company in February, reporting signs that nation-state baddies had broken into Commvault’s systems.
A separate advisory at the time confirmed that “a handful of customers” were affected after the suspected nation-state attackers exploited a Commvault zero-day (CVE-2025-3928 – 8.7). That vulnerability remains unspecified, but it requires authenticated credentials in order to make use of it.
It was added to CISA’s Known Exploited Vulnerability (KEV) catalog on April 28 with the added detail that successful exploitation can lead to remote attackers creating and executing web shells.
Each KEV entry also lists whether the vulnerability is known to be used in ransomware attacks. In this case, the value for CVE-2025-3928 is “unknown.”
Sheer confirmed there was no access to the data Commvault protects for its customers and the event had no impact on Commvault’s business operations.
However, after months of investigation, Commvault confirmed the objective of the criminal was to acquire app credentials that could be used to breach companies’ M365 environments.
CISA said this week that the zero-day gave attackers a way into Commvault’s Azure-hosted M365 backup SaaS solution, which then provided access to customers’ M365 environments that had application secrets stored in Commvault.
Without indicating the scale of this broader campaign against the SaaS sector, CISA said it “believes the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.”
Those reading this and thinking “it sounds like it could be us next” are advised to follow CISA’s guidance to mitigate the threat of successful attacks on organizations and their customers.
Microsoft Entra logs will play an important role, both for identifying any unauthorized modifications to credentials, or any rogue added credentials, originating from Commvault apps or service principals.
The agency adds that any deviations from the norm should be treated as suspicious, and incident response protocols enacted accordingly.
CISA advises that Microsoft logs, including Entra audit and sign-in, should also be used to conduct internal threat hunting in alignment with the organization’s incident response plan.
For single-tenant apps, CISA suggests setting up a conditional access policy so authentication of an app service principal can only be carried out by IP addresses within Commvault’s allowlisted range.
Organizations that have control over their Commvault application secrets, which is only a limited number of them, should rotate those secrets and credentials on Commvault Metallic applications and service principals that were available between February and May this year.
Lastly, check Entra for any accounts that have admin rights but perhaps don’t necessarily need them. Reduce privileges where possible.
On-prem Commvault customers should restrict access to management interfaces to trusted networks and admin systems, where technically feasible.
Ensure all relevant Commvault patches are applied (cloud-based customers have them applied automatically), and use a WAF to detect and block path traversal attempts and dodgy-looking file uploads. Remove external access to Commvault apps too. ®
READ MORE HERE