Full Report
Enterprise data backup platform Commvault has revealed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting CVE-2025-3928 but emphasized there is no evidence of unauthorized data access. "This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance," the company
Analysis Summary
# Vulnerability: Zero-Day Exploitation of CVE-2025-3928 in Commvault Azure Environment
## CVE Details
- CVE ID: CVE-2025-3928
- CVSS Score: Not specified in text (Severity based on exploitation context is High)
- CWE: Not specified in text
## Affected Systems
- Products: Commvault Web Server
- Versions: Specific vulnerable versions not listed, but the advisory relates to the platform's interaction with Microsoft Azure.
- Configurations: Environments involving Commvault interacting with Microsoft Azure/365/Dynamics 365 single-tenant app registrations where credentials were not rotated/synced.
## Vulnerability Description
A zero-day vulnerability, CVE-2025-3928, was exploited by a nation-state threat actor in Commvault's Microsoft Azure environment. The text implies that exploiting this flaw allowed unauthorized activity and access to the environment, although Commvault stated there was "no unauthorized access to customer backup data that Commvault stores and protects." The exploitation appears to be related to compromised credentials or application secrets tied to Azure authentication.
## Exploitation
- Status: Exploited in the wild (${\text{Zero-Day}}$ activation confirmed by Commvault)
- Complexity: Likely low to medium, given the successful breach by a nation-state actor.
- Attack Vector: Likely Network/Remote.
## Impact
- Confidentiality: Potential, though the vendor claims no customer backup data was accessed. Unauthorized activity occurred in the corporate Azure environment.
- Integrity: Potential for system compromise within the affected Azure environment.
- Availability: No material impact on business operations or service delivery was reported.
## Remediation
### Patches
- Patches required for Commvault Web Server (Specific versions/advisories linked to CISA KEV mandate by May 19, 2025). Specific patch version numbers are not provided in this summary material.
### Workarounds
1. **Conditional Access Policies:** Apply Conditional Access policy to all Microsoft 365, Dynamics 365, and Azure AD single-tenant app registrations.
2. **Credential Rotation:** Rotate and synchronize client secrets between the Azure portal and Commvault every 90 days.
3. **IP Blocking:** Explicitly block the following malicious IP addresses within Conditional Access policies and monitor signs-in logs:
* `108.69.148.100`
* `128.92.80.210`
* `184.153.42.129`
* `108.6.189.53`
* `159.242.42.20`
4. **Credential Rotation:** Affected credentials within the environment were rotated following detection.
## Detection
- **IoCs:** Observe sign-in activity originating from the explicitly listed malicious IP addresses.
- **Detection Methods:** Monitor Azure sign-in logs specifically for activity from the five identified malicious IP addresses. Report any hits immediately to Commvault Support.
## References
- Vendor Advisory (March 7, 2025): h ttps://www.commvault.com/blogs/security-advisory-march-7-2025
- CISA KEV Listing Reference (Implied via article content)
- Commvault Update Link: h ttps://www.commvault.com/blogs/notice-security-advisory-update
- Commvault Monitoring Guidance: h ttps://kb.commvault.com/article/87661