Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic)

Commvault is monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment. Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure. This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault.

See the following resource for more information: Notice: Security Advisory (Update).

CISA believes the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.

CISA urges users and administrators to review the following mitigations and apply necessary patches and updates for all systems:

1. Monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications/service principals.
   1. Handle deviations from regular login schedules as suspicious.
   2. For more information, see NSA and CISA’s Identity Management guidance, as well as CISA’s guidance on Identity, Credential, and Access Management (ICAM) Reference Architecture.
2. Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct internal threat hunting in alignment with documented organizational incident response polices.
3. (Applies to single tenant apps only) Implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault’s allowlisted range of IP addresses.
   1. Note: A Microsoft Entra Workload ID Premium License is required to apply conditional access policies to an application service principal and is available to customers at an additional cost.[1]
4. For certain Commvault customers, rotate their application secrets, rotate those credentials on Commvault Metallic applications and service principles available between February and May 2025.[2] Note: This mitigation only applies to a limited number of customers who themselves have control over Commvault’s application secrets.
   1. Customers who have the ability to, if applicable, should establish a policy to regularly rotate credentials at least every 30 days.
5. Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than the business need.
6. Implement general M365 security recommendations outlined in CISA’s Secure Cloud Business Applications (SCuBA) Project.

Precautionary Recommendations for On-premises Software Versions

1. Where technically feasible, restrict access to Commvault management interfaces to trusted networks and administrative systems.
2. Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications [CSA-250502].
3. Apply the patches provided [3] and follow these best practices [4].
   1. Especially monitor activity from unexpected directories, particularly web-accessible paths.

CISA added CVE-2025-3928 to the Known Exploited Vulnerabilities Catalog and is continuing to investigate the malicious activity in collaboration with partner organizations.

References

[1] Workload identities – Microsoft Entra Workload ID | Microsoft Learn

[2] Change a Client Secret for the Azure App for OneDrive for Business

[3] CV_2025_03_1: Critical Webserver Vulnerability

[4] Best Practice Guide: Enhancing Security with Conditional Access and Sign-In Monitoring

Additional Resources

• Get servicePrincipal – Microsoft Graph v1.0 | Microsoft Learn
• Updated Best Practices in Security for Azure Apps Configuration to Protect M365, D365 or EntraID Workload | Commvault

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.