CISA Issues Alert on Potential Widespread SaaS Attacks Targeting Application Secrets and Cloud Misconfigurations

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that Commvault is actively monitoring cybersecurity threats that are targeting applications hosted within its Microsoft Azure cloud environment.

According to the agency, threat actors may have gained unauthorized access to client secrets relating to Commvault’s Metallic Microsoft 365 (M365) backup software-as-a-service (SaaS) solution hosted in Azure. This unauthorized access potentially compromises Commvault’s customers’ M365 environments, in which application secrets are stored.

CISA has noted that this incident may form part of a broader campaign aimed at various software-as-a-service (SaaS) providers, particularly those with default configurations and elevated permissions that may leave them vulnerable to attacks.

This advisory follows an earlier notification from Microsoft to Commvault regarding unauthorized activities identified in February 2025, attributed to a nation-state threat actor within its Azure environment. The investigation revealed that the threat actors had leveraged a zero-day vulnerability, specifically CVE-2025-3928, which is a flaw within the Commvault Web Server that enables a remote, authenticated attacker to create and execute web shells.

Commvault has indicated that the sophistication of the threat actor’s techniques is concerning, suggesting attempts to infiltrate customer M365 environments. They highlighted that this actor may have accessed certain application credentials utilized by Commvault customers for M365 authentication.

In response, Commvault has implemented several remedial actions, including rotating application credentials for M365 access. The company emphasizes that there has been no unauthorized access to customer backup data.

To help mitigate such threats, CISA recommends that users and administrators adhere to the following guidelines:

– Monitor Entra audit logs for any unauthorized modifications or additions to credentials associated with Commvault applications/service principals.
– Review Microsoft logs, including Entra audit, Entra sign-in, and unified audit logs, while conducting internal threat hunting efforts.
– For single-tenant applications, implement a conditional access policy that restricts authentication of an application service principal to an approved IP address from Commvault’s allowlisted range.
– Evaluate the list of Application Registrations and Service Principals in Entra to ensure administrative consent privileges are not exceeding business needs.
– Limit access to Commvault management interfaces to trusted networks and administrative systems.
– Deploy a Web Application Firewall to detect and block path-traversal attempts and suspicious file uploads, while eliminating external access to Commvault applications.

CISA has added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalog as of late April 2025 and continues to investigate the malicious activity in partnership with relevant organizations.