| Commvault is monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment. Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure. This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault. |
| The Cybersecurity and Infrastructure Security Agency (CISA) believes the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions. |
| CISA urges users and administrators to review the mitigations and apply necessary patches and updates for all systems. |
| CISA added CVE-2025-3928 to the Known Exploited Vulnerabilities Catalog and is continuing to investigate the malicious activity in collaboration with partner organizations. |