CISA Warns of Nation-State Hackers Exploiting Commvault Zero-Day to Target SaaS Providers
Table of Contents
The Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch their systems immediately following the revelation of a Commvault zero-day vulnerability being actively exploited by nation-state hackers.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that a recent security breach at Commvault poses a meaningful risk to Software-as-a-Service (SaaS) providers. The agency is actively monitoring the situation and has advised Commvault customers to take immediate steps to mitigate potential risks.
According to a security advisory, threat actors may have gained unauthorized access to client secrets for commvault’s Metallic Microsoft 365 backup SaaS solution. Commvault’s metallic platform provides secure backup and recovery for Microsoft 365, endpoints, virtual machines, databases, and other workloads, all hosted on Microsoft Azure.
Commvault Confirms state-Sponsored Cyberattack
Commvault has acknowledged that Microsoft alerted them to an ongoing state-sponsored cyberattack. The company confirmed that a limited number of customers were targeted through a zero-day vulnerability, identified as CVE-2025-3928.This vulnerability affects Commvault web Server and can be exploited by a remote, authenticated attacker.
CISA has added CVE-2025-3928 to its catalog of known exploited vulnerabilities (KEV), mandating that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches within three weeks.The vulnerability is addressed in Commvault versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for both Windows and Linux platforms.
“CISA believes the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications.”
Mitigation Steps Recommended by CISA
CISA has expressed concern that this activity is part of a broader campaign targeting cloud applications of various SaaS companies that have default configurations and elevated permissions. The agency recommends several mitigation measures, including:
- Monitoring Entra audit logs
- Reviewing Microsoft logs
- Reviewing the list of Application Registrations and Service Principles in Entra
A thorough list of mitigations is available on the CISA website.
Frequently Asked Questions
- What is a zero-day vulnerability?
- A zero-day vulnerability is a software flaw that is unknown to the vendor and for which no patch is available. This makes it particularly dangerous because attackers can exploit it before developers have a chance to fix it.
- What is CISA?
- The Cybersecurity and Infrastructure Security Agency (CISA) is a US federal agency responsible for protecting the nation’s critical infrastructure from cyber and physical threats.
- What steps can SaaS providers take to protect themselves from attacks?
- SaaS providers should implement robust security measures, including regular vulnerability scanning, penetration testing, and strong access controls. They should also monitor their systems for suspicious activity and promptly apply security patches.
- What should Commvault customers do to mitigate the risks?
- Commvault customers should immediately apply the security patches released by Commvault,monitor their Entra audit logs,review Microsoft logs,and review the list of Application Registrations and Service principles in Entra.
