Cybercriminals have successfully exploited a critical vulnerability in Commvault’s cloud infrastructure, compromising the backup provider’s SaaS platform and potentially exposing thousands of organizations to secondary attacks through their Microsoft 365 environments.
The Cybersecurity and Infrastructure Security Agency (CISA) has identified the breach as part of a sophisticated campaign targeting SaaS providers, with evidence suggesting state-sponsored actors coordinated the assault. With data breach costs averaging $4.35 million, organizations face substantial financial risks from such attacks.
The attackers exploited CVE-2025-3928, an unspecified vulnerability carrying a CVSS score of 8.7, to gain remote access and deploy webshells across Commvault’s infrastructure. This zero-day exploit permitted threat actors to fully compromise affected systems before any security patches were available, demonstrating the advanced nature of the attack.
The zero-day exploit enabled complete system compromise before patches existed, highlighting the sophisticated capabilities of the threat actors involved.
The primary target was Commvault’s Metallic SaaS platform, particularly backup solutions integrated with Microsoft 365 environments. Metallic serves as a cloud-based backup service hosted on Microsoft Azure, providing comprehensive backup capabilities for Exchange Online, SharePoint, OneDrive, and Teams.
During the breach, cybercriminals accessed application credentials and client secrets used for authenticating M365 environments within Microsoft Azure. These stolen authentication tokens provided attackers with pathways for lateral movement into customers’ cloud environments, bypassing traditional credential-based security measures.
The incident primarily affected organizations with linked Commvault and Microsoft accounts, though no evidence indicates that backup data stored by Commvault was compromised or exfiltrated.
The attack represents a significant shift toward supply chain vulnerabilities, exploiting trusted relationships between SaaS platforms and cloud identity providers. Organizations utilizing third-party SaaS solutions face increased risks when application secrets are inadequately monitored or rotated, as providers often maintain numerous authentication credentials that amplify access potential if compromised.
CISA has added CVE-2025-3928 to its Known Exploited Vulnerabilities catalog, mandating urgent patching by May 19, 2025. The agency recommends implementing Conditional Access policies across Microsoft 365, Dynamics 365, and Azure Active Directory applications, as well as establishing 90-day rotation cycles for client secrets.
Commvault has responded by rotating compromised credentials and strengthening detection capabilities.
Security experts warn that similar campaigns will likely target other SaaS platforms with comparable architecture and integration models, highlighting vulnerabilities in cloud supply chain relationships that organizations must address through improved monitoring and credential management practices.
