Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about possible large-scale cyberattacks targeting Software-as-a-Service (SaaS) applications, especially those hosted in cloud environments like Microsoft Azure. The alert highlights a recent security incident involving Commvault, a data protection and backup software company, and its Microsoft 365 (M365) backup SaaS platform called Metallic.
Threat Actors Exploiting App Secrets in Azure
According to CISA, Commvault detected suspicious cyber threat activity affecting their Microsoft Azure cloud services. The attackers may have accessed sensitive client application secrets stored by Commvault in Azure. These secrets are used to authenticate and connect to customers’ Microsoft 365 accounts.
This unauthorized access gave the attackers potential entry into customer M365 environments, posing a significant threat to organizational security and data integrity. Although the backup data was reportedly not compromised, access to application credentials could still allow attackers to infiltrate other critical areas of customer networks.
CISA believes this is not an isolated incident. It may be part of a larger campaign by threat actors targeting SaaS providers. These attacks seem to take advantage of:
Default cloud configurations
Excessive permission settings in cloud apps
Weak access controls
Organizations that rely heavily on SaaS platforms without customizing default security settings may be especially at risk.
Nation-State Threat Actor Behind the Attack
The origin of the attack was traced back to a nation-state threat actor. Microsoft first informed Commvault about the suspicious activity in February 2025. Upon investigation, Commvault discovered that the attacker had exploited a previously unknown zero-day vulnerability CVE-2025-3928 in the Commvault Web Server.
This vulnerability allowed a remote, authenticated attacker to plant and execute web shells—malicious scripts that give attackers remote control over a system. The attackers used this access to dig deeper into the system and potentially extract app credentials for Commvault customers’ Microsoft 365 accounts.
Commvault acted quickly to reduce the impact of the breach. The company rotated all app credentials used in its Microsoft 365 backup services to prevent further misuse. It also clarified that customer backup data remained untouched and secure.
However, the threat is far from over. Attackers who gain access to app secrets can use them to impersonate services or users, spread malware, steal sensitive data, or move laterally within an organization’s network.
CISA’s Recommendations for Mitigation
To protect against this and similar cloud-based attacks, CISA has released a set of recommendations for all organizations using SaaS platforms particularly those integrated with Microsoft Azure or Microsoft 365:
Monitor Entra (formerly Azure AD) Logs
Keep an eye on Entra audit logs for any unauthorized changes, especially credential modifications related to Commvault applications or service principals.Review Microsoft Security Logs
Conduct regular checks of Entra audit logs, sign-in logs, and unified audit logs to detect unusual behavior and conduct internal threat hunting.Use Conditional Access Policies
If you use single-tenant apps, implement access policies that allow authentication only from trusted IP addresses approved by Commvault.Check Application Permissions
Review all Application Registrations and Service Principals in Entra. Revoke any unnecessary high-privilege permissions that go beyond business needs.Limit Interface Access
Restrict access to Commvault management interfaces. Only allow trusted networks and systems with administrative control to access these interfaces.Deploy Web Application Firewalls (WAF)
Install a WAF to detect and block suspicious behaviors such as path traversal attacks and harmful file uploads. Remove external access to Commvault applications wherever possible.
CISA has officially added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalog, underlining the urgency of this issue. The agency is continuing to investigate the attack in partnership with private sector organizations and other cybersecurity entities.
Cloud security remains a top concern as more businesses adopt SaaS solutions. Misconfigured permissions and poorly secured application secrets present an easy target for sophisticated attackers—especially those backed by nation-states.
Secure Your SaaS Now
This incident is a clear warning that even well-established SaaS providers like Commvault are vulnerable to targeted cyberattacks. Organizations must act now to:
Strengthen their cloud security configurations
Monitor for unusual activity
Limit application permissions
Implement stricter access controls
Ignoring these risks could lead to major breaches, data theft, and long-term reputational damage. Staying proactive with SaaS security measures can make the difference between a near miss and a major security incident.
Interesting Article : CVE-2025-47949, Samlify Vulnerability Allows Admin Account Takeover
Pingback: Winos 4.0 Dropped Using Fake VPN and Browser Installers