Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," the agency said. "This
Analysis Summary
# Incident Report: CISA Advisory on Suspected Broader SaaS Attacks Exploiting App Secrets
## Executive Summary
CISA issued an advisory regarding cyber threat activity targeting the Microsoft Azure cloud environment hosting Commvault's Metallic SaaS M365 backup solution. Threat actors exploited a zero-day vulnerability (CVE-2025-3928) to gain unauthorized access, potentially compromising customer application secrets used to authenticate to M365 environments. Remedial actions included rotating credentials, although Commvault states no customer backup data was accessed.
## Incident Details
- Discovery Date: February 2025 (When Microsoft notified Commvault)
- Incident Date: Activity began sometime prior to February 2025. The advisory suggests a broader campaign is ongoing.
- Affected Organization: Commvault (specifically its Metallic M365 backup SaaS solution hosted in Azure)
- Sector: Cloud Services / Data Backup
- Geography: Not explicitly stated, but the advisory is from CISA (U.S. based).
## Timeline of Events
### Initial Access
- Date/Time: Prior to February 2025.
- Vector: Exploitation of an unspecified flaw in the Commvault Web Server (Zero-day vulnerability, CVE-2025-3928).
- Details: This flaw allowed a remote, authenticated attacker to create and execute web shells.
### Lateral Movement
- Details: Threat actors accessed client secrets for Commvault's M365 backup SaaS solution hosted in Azure, leading to unauthorized access to customers' M365 environments authenticated via these secrets. The ultimate goal appears to be gaining access to customer M365 spaces.
### Data Exfiltration/Impact
- Impact: Potential unauthorized access to customer M365 environments via compromised application secrets/credentials. Commvault emphasized that there has been **no unauthorized access to customer backup data**.
### Detection & Response
- Detection: Microsoft notified Commvault in February 2025 of unauthorized activity within their Azure environment.
- Response: CISA issued an advisory; Commvault rotated app credentials for M365.
## Attack Methodology
- Initial Access: Exploitation of CVE-2025-3928 (Zero-day vulnerability in Commvault Web Server).
- Persistence: Not explicitly detailed, but implied steady access to perform discovery/collection within the Azure environment.
- Privilege Escalation: Not explicitly detailed, but the successful access to app credentials implies sufficient escalation or discovery of existing high-privilege secrets.
- Defense Evasion: Sophisticated techniques used to gain access to customer M365 environments.
- Credential Access: Accessing "a subset of app credentials" used by customers to authenticate their M365 environments.
- Discovery: Unknown, but necessary to leverage compromised secrets against customer tenants.
- Lateral Movement: Moving from the compromised Commvault Azure environment into customer M365 tenants using stolen application secrets.
- Collection: Collection of M365 application secrets/credentials.
- Exfiltration: Not explicitly detailed as data exfiltration, but access to secrets implies intent for unauthorized use/access.
- Impact: Unauthorized access to customer cloud identity configuration.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Unspecified subset of customer application credentials/secrets were compromised. **No customer backup data was accessed.**
- Operational: Potential disruption to customers utilizing the affected SaaS service needing credential rotation/management.
- Reputational: Negative impact on trust in Commvault's security posture and SaaS infrastructure.
## Indicators of Compromise
* **Network indicators:** [Defanged] Commvault recommends monitoring for unauthorized authentications against M365 originating from IP ranges outside Commvault's allowlisted range (if conditional access policies are implemented).
* **File indicators:** No specific file hashes provided in the summary.
* **Behavioral indicators:** Unauthorized modifications or additions of credentials to service principals monitored via Entra audit logs; path-traversal attempts and suspicious file uploads detected by WAF.
## Response Actions
- Containment measures: Commvault rotated app credentials/secrets for M365.
- Eradication steps: CISA recommendations imply reviewing and revoking excessive permissions on Service Principals and removing external access to management interfaces.
- Recovery actions: Implemented security monitoring enhancements as per CISA recommendations (monitoring Entra logs).
## Lessons Learned
- Key takeaways: SaaS cloud misconfigurations and the over-reliance on static application secrets/credentials pose significant risks, especially when exploited via zero-day vulnerabilities in the vendor's infrastructure.
- What could have been done better: The vulnerability (CVE-2025-3928) was actively exploited as a zero-day, highlighting the risk tied to vendor-managed infrastructure security.
## Recommendations
- **Implement strong authentication limits:** For single-tenant applications, mandate conditional access policies restricting service principal authentication to an approved, allowlisted set of IP addresses (e.g., Commvault's known management IPs).
- **Conduct rigorous permission reviews:** Review all Application Registrations and Service Principals in Entra that have administrative consent. Ensure privileges granted match the minimum required business need (least privilege).
- **Harden application access:** Restrict access to Commvault management interfaces to trusted networks and specific administrative systems only.
- **Deploy preventative tooling:** Utilize a Web Application Firewall (WAF) to detect and block path-traversal attempts and block suspicious file uploads targeting web application servers.
- **Enhance logging review:** Actively monitor Entra audit logs, sign-in logs, and unified audit logs for suspicious activity related to service principals initiated by Commvault applications.