CISA: Threat actors target M365 credentials via Commvault vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about unauthorized activity targeting Commvault’s Microsoft Azure-hosted applications, particularly the company’s Microsoft 365 (M365) backup software-as-a-service (SaaS) platform known as Metallic.

According to CISA, threat actors may have accessed client secrets stored by Commvault, potentially gaining unauthorized access to customer M365 environments.

The activity is believed to be part of a broader campaign targeting cloud infrastructure operated by SaaS providers using default configurations and elevated permissions.

Commvault said it was alerted by Microsoft in February 2025 about nation-state threat actors exploiting a zero-day vulnerability—CVE-2025-3928—in its web server. The flaw allowed remote, authenticated attackers to execute malicious web shells.

The company acknowledged that some app credentials used by customers for M365 authentication may have been accessed, though it confirmed that no backup data was compromised. Commvault has since rotated affected credentials and implemented additional safeguards.

CISA has issued mitigation recommendations, including monitoring Entra logs, restricting Commvault access to trusted networks, and reviewing administrative permissions granted to application service principals. The agency is continuing its investigation alongside industry partners.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!