Enterprises data protection company Commvault reported a security incident involving its Microsoft Azure infrastructure, which was compromised by a newly found security flaw called CVE-2025-3928 vulnerability.
According to the company’s statement, the breach impacted a limited number of shared customers with Microsoft. Commvault is actively coordinating with those affected to offer the necessary support.
However, the company assured that there was no sign that any data had been accessed without permission. Furthermore, Commvault confirmed that the incident did not significantly disrupt its operations or hinder its ability to deliver services and products.
On March 7, 2025, Commvault shared that Microsoft had alerted them on February 20 about suspicious activity in their Azure cloud system. A hacker group, believed to be backed by a nation-state, took advantage of a new vulnerability (CVE-2025-3928) before anyone knew about it. In response, Commvault changed the impacted passwords and boosted their security protections.
This update came after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the same vulnerability to its list of known security risks. CISA is now requiring certain federal agencies to fix the issue in the Commvault Web Server by May 19, 2025.
To reduce the chances of attacks, customers are encouraged to:
- Set up conditional Access rules for all Microsoft 365, Dynamic 365, and Azure AD apps that only one company uses.
- Changed and re-sync their client secrets between the Azure portal and Commvault every 90 days.
Commvault is also advising customers to keep a close eye on sign-in logs to catch any login attempts coming from IP addresses that are not part of their approved list. The company identified the following IP address as being linked to suspicious or harmful activity:
108.69.148.100
128.92.80.210
184.153.42.129
108.6.189.53
159.242.42.20
Users are strongly encouraged to block these IPs using Conditional Access settings and to regularly review Azure sign-in activity for any attempts coming from them. If any such activity is found, Commvault recommends reporting it to their support team right away for further investigation and response.
