- The pirates of nation-state abuse a commvault zero-day to target Saas companies
- Cisa warns users to correct their systems
- A large-scale campaign is currently underway, it was said
The American Cybersecurity and Infrastructure Safety Agency (CISA) warns that the recent Commvault violation could endanger many software suppliers as a service (Saas).
In a recently published security notice, the agency said the attack was monitored and urged Commvault customers to mitigate possible risks.
Lighthouse product of Commvault, Metallic. is a cloud-based SaaS data protection platform that provides secure backup and recovery for Microsoft 365, termination points, virtual machines, databases and other workloads. Everything is hosted on Microsoft Azure, and Cisa says that the actors of the nameless threat “may have accessed the secrets of the customers for the SaaS Sauas of Microsoft 365 backup of Commvault (metallic).”
“This provided threats to the threats of unauthorized access to the M365 environments of Commvault customers who have application secrets stored by Commvault.”
At the same time, Commvault published a blog article in which he said that Microsoft contacted to warn a current cyberattack sponsored by the state.
The company confirmed that a “handful of customers” had been targeted by zero-day vulnerability followed under the name of CVE-2025-3928, an undeveloped defect in the Commvault web server which can be used by a distant and authenticated attacker.
The CISA added it to its catalog of known vulnerabilities (KEV) on April 28, giving the federal agencies of the Directorate of Civil Managers (FCEB) a deadline for three weeks to repair things. The bug was corrected in versions 11.36.46, 11.32.89, 11.28.141 and 11.20.217 for Windows and Linux platforms.
“Cisa believes that the threat activity can be part of a wider campaign targeting various cloud applications of SaaS companies with default configurations and high authorizations,” added the agency in the opinion.
The agency has also established a list of attenuations that companies should follow to minimize the chances of being hit. These include monitoring audit newspapers ENCE, examining Microsoft newspapers, revising the list of records of applications and service principles in Entra, etc. The whole list can be found on This link.
Via The register
