The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced on Thursday that hackers are targeting Commvault’s cloud applications hosted on Microsoft Azure.
According to CISA, the attackers may have gained access to client secrets used in Commvault’s customers’ Microsoft 365 backup service, known as Metallic. This could allow them to access Commvault customers’ Microsoft 365 accounts.
CISA also warned that this could be part of a larger effort by hackers to break into various cloud services, especially those using standard configurations and high-level access permissions.
The warning comes a few weeks after Commvault shared that Microsoft had informed them in February 2025 about suspicious activity by a nation-state hacker group in their Azure system.
This led to the discovery of a serious, previously unknown security flaw (CVE-2025-3928) in Commvault’s Web Server. This flaw could allow a hacker, who once logged in, to secretly install and run malicious code.
Commvault said the attackers are using advanced methods to try to break into customers’ Microsoft 365 accounts. They also mentioned that the hackers might have gained access to some login details that customers use to connect Commvault with their Microsoft 365 services.
Commvault stated that steps have been taken to fix the issue, such as changing the app login credentials used for Microsoft 365. They also confirmed that no customer backup data was accessed without permission.
To help protect against these types of threats, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is advising users and IT admins to do the following:
Check Microsoft Entra audit logs for any unusual changes to login credentials made by Commvault tools.
Review Microsoft logs and look for signs of possible attacks within your systems.
For apps that belong to a single organization, set up a security rule that only allows logins from approved IP addresses within Commvault’s trusted list.
Review app and service permissions in Microsoft Entra, making sure none have more access than unnecessary.
Limit access to Commvault’s admin interface so only trusted networks and devices can reach them.
Install a Web Application Firewall (WAF) to detect and block harmful file uploads or hacking attempts and restrict external access to Commvault apps.
CISA added the security flaw (CVE-2025-3928) to its list of known exploited vulnerabilities in April 2025 and said it’s still investigating the situation with it’s still investigating the situation with its partners.
