Commvault Azure Environment Breach And Cve-2025-3928 Exploitation

In early 2025, Commvault, a major enterprise data backup and cloud service provider, confirmed that its Microsoft Azure-hosted environment had been compromised by a sophisticated nation-state threat actor. The breach involved exploitation of a previously unknown zero-day vulnerability affecting Commvault Web Server components, resulting in unauthorized access to credentials used to authenticate Microsoft 365 (M365) environments.

Severity Level: High

INCIDENT OVERVIEW:

1. CVE ID: CVE-2025-3928
2. CVSS Score: 8.7
3. Exploit Requirements:
   • Valid user credentials (i.e., authenticated access)
   • Webserver accessible externally via the internet
   • Chainable with credential theft or other prior access mechanisms
4. Exploitation Impact: Allowed threat actors to create and execute webshells remotely.

HOW THE BREACH HAPPENED:

1. Initial Access (February 2025): The breach began in early February 2025 when a nation-state threat actor gained initial access to Commvault’s Microsoft Azure environment. Microsoft notified Commvault of suspicious activity on February 20. The attackers exploited misconfigured cloud applications and obtained access to application credentials (client secrets) stored by Commvault for M365 integration, allowing them to impersonate legitimate service principals.
2. Exploitation of Vulnerability (CVE-2025-3928): The attackers used valid credentials to exploit CVE-2025-3928, a zero-day vulnerability in the Commvault Web Server. This flaw allowed a remote authenticated attacker to upload and execute webshells, gaining persistence and expanding their access within Commvault’s infrastructure. The vulnerability existed in multiple versions of Commvault’s software and was not known publicly at the time of the breach.
3. Lateral Movement into Customer M365 Environments: Using compromised app secrets and M365 OAuth tokens, the threat actor accessed customers’ M365 tenants via Commvault-managed service principals. They potentially escalated access using default permissions, overly privileged service principals, or misconfigured application scopes. This lateral movement allowed visibility and control over downstream customer environments.
4. Cloud Misconfigurations & Identity Exploitation: The attack campaign also took advantage of cloud identity misconfigurations, such as excessive privileges granted to service principals and absence of Conditional Access policies. Commvault-managed M365 applications with unrotated secrets and insufficient IP filtering gave the attackers a stealthy path to move laterally without triggering immediate alerts.
5. Persistence & Monitoring Evasion: The attackers were able to remain undetected for a period by operating through legitimate service credentials and staying within trusted IP ranges. No ransomware or destructive actions were deployed. However, they maintained a low-profile presence, focusing on stealthy access and exfiltration of identity data and secrets from impacted SaaS-linked resources.

DATA STOLEN DURING THE BREACH:

• No customer backup data compromised.
• Credential information (client secrets for M365 SaaS integration) potentially accessed.
• No direct evidence of customer data exfiltration.

LESSONS LEARNT:

1. The attackers leveraged legitimate service principal credentials to access customer M365 environments without geographic or IP-based restrictions. This highlights a gap in enforcing Conditional Access Policies (CAPs) to restrict logins to approved IPs and regions, which could have blocked unauthorized access early.
2. The compromise of client secrets used to authenticate M365 environments points to inadequate credential rotation practices. Many app secrets were not rotated within recommended 30–90 day cycles, leaving long-lived tokens vulnerable to reuse by attackers.
3. The threat actor exploited over-permissioned service principals and misconfigured app registrations. This suggests a failure to apply the principle of least privilege to service accounts, allowing the actor to laterally access and manipulate systems beyond their intended scope.
4. The breach was exacerbated by cloud misconfigurations, such as default configurations on app service principals, inadequate scoping of application permissions, and failure to monitor app registration activity—highlighting the need for robust SaaS security posture management (SSPM).

Recommendations:

1. Monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications/service principals.
2. Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct internal threat hunting.
3. For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault’s allowlisted range of IP addresses.
4. Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than the business need.
5. Restrict access to Commvault management interfaces to trusted networks and administrative systems.
6. Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications.
7. Block the IOCs at their respective controls https://www.virustotal.com/gui/collection/2078298b53332793509a02ce1d98df3e516a628d4ed1803b7f6596ff9c1669f8/iocs

Source:

• https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic
• https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html
• https://thehackernews.com/2025/05/cisa-warns-of-suspected-broader-saas.html
• https://www.commvault.com/blogs/customer-security-update
• https://kb.commvault.com/article/87703

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.