The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning about ongoing cyberattacks targeting SaaS infrastructures—highlighting a breach involving Commvault’s Metallic SaaS platform hosted on Microsoft Azure. This disclosure suggests a wider, organized campaign that leverages cloud misconfigurations, exposed app secrets, and advanced tactics—possibly by nation-state-level threat actors.
🎯 Incident Overview: What Happened?
In February 2025, Microsoft alerted Commvault to unauthorized activity in their Azure-hosted environment. The attacker, suspected to be part of a nation-state group, exploited a zero-day vulnerability (CVE-2025-3928) in the Commvault Web Server, enabling them to deploy remote-access web shells.
📌 Key Findings:
- Attackers accessed sensitive app secrets used by Commvault customers to authenticate with Microsoft 365 (M365).
- These secrets may have granted unauthorized access to customer cloud environments.
- The vulnerability is now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
🧠 What CVE-2025-3928 Means for You
- Vulnerability Type: Remote Authenticated Web Shell Execution
- Risk Level: Critical
- Impact: Exposure of M365 app credentials, potential lateral movement, data exfiltration
- Scope: Customers using Commvault’s Metallic backup SaaS on Microsoft Azure
This breach underscores the dangers of default cloud configurations, insufficient privilege separation, and poorly managed application secrets.
🚨 The Bigger Picture: A Broader Campaign
According to CISA, this incident may be part of an expanding threat landscape involving:
- Exploitation of elevated service principal permissions
- Abuse of unencrypted or mismanaged app secrets
- Lack of network-level access controls for cloud apps
At SoloSecurities, we’ve observed similar threat vectors being used against other SaaS platforms, indicating that this isn’t an isolated incident but part of a well-coordinated, multi-vector campaign.
🛡️ CISA & SoloSecurities Recommendations
🧩 Secure Your Cloud Ecosystem:
1. Monitor Logs for Suspicious Access
- Inspect Microsoft Entra logs, Unified Audit Logs, and Sign-In Logs.
- Detect any credential modifications by Commvault-associated service principals.
2. Lock Down Authentication
- Implement Conditional Access Policies to allow authentication only from approved IPs (e.g., Commvault allowlisted ranges).
- Regularly rotate and restrict secrets used for SaaS integrations.
3. Audit Permissions
- Reassess all Application Registrations and Service Principals.
- Apply the Principle of Least Privilege (PoLP) across all cloud assets.
4. Harden Interfaces & Deploy WAFs
- Use Web Application Firewalls (WAFs) to:
- Detect and block path traversal attacks
- Stop malicious file uploads
- Disable external access to Commvault management UIs.
🧬 Threat Actor Profile
This operation shows hallmarks of a highly advanced threat actor:
- Zero-day exploitation
- Credential harvesting
- Persistence via web shells
- Cloud-native reconnaissance techniques
It reflects a growing trend where attackers target the identity and access layer—a common weak point in many SaaS deployments.
⚙️ SoloSecurities Recommendations for SaaS Security
At SoloSecurities, our experts recommend:
- Conducting SaaS penetration testing at least quarterly
- Performing cloud posture assessments across Azure, AWS, and Google Cloud
- Using secrets management systems (e.g., HashiCorp Vault, AWS Secrets Manager)
- Enforcing MFA on all privileged cloud accounts and app integrations
- Auditing app-to-app trust relationships regularly
💡 Final Thought: Don’t Wait for the Next Breach
This incident is not just a one-off warning. It’s a clear indicator of how modern attacks are shifting toward cloud-layer vulnerabilities and exploiting SaaS-specific weaknesses.
Whether you’re using Commvault or not, this is the moment to harden your SaaS infrastructure, revisit your IAM policies, and perform a thorough risk audit.
SoloSecurities
Add comment