Commvault clients should beware of campaign targeting cloud applications, CISA says

Federal cyber defenders are warning that hackers are targeting the cloud environments of clients of data management giant Commvault. 

The New Jersey-based company previously said it was notified by Microsoft in February of a data breach caused by an unnamed nation-state threat actor that allowed access to “a subset of app credentials that certain Commvault customers use to authenticate their M365 environments.”

On Thursday evening, the Cybersecurity and Infrastructure Security Agency (CISA) warned that Commvault is now “monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment.”

“CISA believes the threat activity may be part of a larger campaign targeting various SaaS [software-as-a-service] companies’ cloud applications with default configurations and elevated permissions,” the agency said.

CISA said that the threat actors likely “accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure.” In this context, a secret refers to a unique code used to connect applications to servers. 

In multiple blogs throughout March, April and May, Commvault explained that the breach “affected a small number of customers” that the company has in common with Microsoft.

Commvault reiterated that the hackers never accessed customer backup data that the company stores and protects, and that it was working with CISA and the FBI on the issue. The company said it rotated credentials for impacted customers and took several other actions to deal with the incident. 

In its notice on Thursday, CISA provided its own list of actions Commvault customers should take to protect themselves, including monitoring logs, rotating credentials and more. 

CISA noted in its advisory that it recently added a Commvault vulnerability — CVE-2025-3928 — to its catalog of exploited bugs and is “continuing to investigate the malicious activity in collaboration with partner organizations.” 

Commvault previously said that its forensic investigation discovered that the threat actor “exploited a zero-day vulnerability” and included a link to an advisory on CVE-2025-3928.

When asked why the advisory was released on Thursday, CISA declined to provide more information. A Commvault spokesperson said there “are no new developments in this CISA alert since the advisory we posted on May 4.” 

CISA is “merely reporting on activity we published and alerted them to from then,” they told Recorded Future News. 

Microsoft did not respond to requests for comment about which country was behind the attacks, what companies are being targeted and what data may be at risk. 

James Maude, field CTO at BeyondTrust, which has investigated similar breaches in the past, noted that incidents like this highlight the risk involved with allowing third parties privileged access into your environment. 

“Their breach becomes your breach,” he said.