Post

Critical Advisory: Cyber Threats Targeting Commvault’s Metallic SaaS Application

Critical Advisory: Cyber Threats Targeting Commvault’s Metallic SaaS Application

TL;DR

Commvault is actively monitoring cyber threats targeting its Metallic SaaS application hosted on Microsoft Azure. Threat actors may have accessed client secrets, providing unauthorized access to Commvault’s customers’ M365 environments. CISA urges users to implement mitigations and apply necessary patches.

Main Content

Commvault is actively monitoring cyber threats targeting its applications hosted in Microsoft Azure’s cloud environment. Threat actors may have accessed client secrets for Commvault’s Metallic Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure. This breach potentially provided unauthorized access to Commvault’s customers’ M365 environments with application secrets stored by Commvault.

For more information, refer to the Security Advisory Update.

CISA believes this threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.

CISA urges users and administrators to review the following mitigations and apply necessary patches and updates for all systems:

  1. Monitor Entra Audit Logs:
    • Watch for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications/service principals.
    • Handle deviations from regular login schedules as suspicious.
    • For more information, see NSA and CISA’s Identity Management guidance and CISA’s guidance on ICAM Reference Architecture.
  2. Review Microsoft Logs:
    • Examine Entra audit, Entra sign-in, and unified audit logs.
    • Conduct internal threat hunting in alignment with documented organizational incident response policies.
  3. Implement Conditional Access Policies (Single Tenant Apps Only):
    • Limit authentication of an application service principal to an approved IP address within Commvault’s allowlisted range.
    • Note: A Microsoft Entra Workload ID Premium License is required to apply conditional access policies to an application service principal and is available to customers at an additional cost [1](#1).
  4. Rotate Application Secrets:
    • Certain Commvault customers should rotate their application secrets and credentials on Commvault Metallic applications and service principals available between February and May 2025 [2](#2).
    • Note: This mitigation applies to a limited number of customers who control Commvault’s application secrets.
    • Establish a policy to regularly rotate credentials at least every 30 days, if applicable.
  5. Review Application Registrations and Service Principals:
    • Check for administrative consent for higher privileges than the business need in Entra.
  6. Implement General M365 Security Recommendations:

Precautionary Recommendations for On-premises Software Versions

  1. Restrict Access to Commvault Management Interfaces:
    • Limit access to trusted networks and administrative systems where feasible.
  2. Deploy Web Application Firewall:
    • Detect and block path-traversal attempts and suspicious file uploads.
    • Remove external access to Commvault applications.
  3. Apply Patches and Follow Best Practices:
    • Use the provided patches [3](#3) and follow these best practices [4](#4).
    • Monitor activity from unexpected directories, particularly web-accessible paths.

CISA has added CVE-2025-3928 to the Known Exploited Vulnerabilities Catalog and continues to investigate the malicious activity in collaboration with partner organizations.

References

Additional Resources

For further insights, check:

  • [Get servicePrincipal – Microsoft Graph v1.0 Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http)
  • [Updated Best Practices in Security for Azure Apps Configuration to Protect M365, D365 or EntraID Workload Commvault](https://kb.commvault.com/article/87661?_gl=1vn8ov6_gcl_auOTE5NDM5OTEwLjE3NDU1MjI5MjY._gaMzA1NzY0NjQwLjE3NDU1MjI5MjY._ga_M2TFPKFW4N*MTc0NTg0ODE0NC4zLjEuMTc0NTg0ODE3Mi4wLjAuMA..)

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.

For more details, visit the full article: source

Conclusion

Commvault’s proactive monitoring and CISA’s guidance are crucial in mitigating the cyber threats targeting Metallic SaaS applications. Organizations must remain vigilant and implement the recommended security measures to protect their digital assets.

  1. Workload identities - Microsoft Entra Workload ID Microsoft Learn. Retrieved 2025-05-22.

    ↩︎

  2. Change a Client Secret for the Azure App for OneDrive for Business. Retrieved 2025-05-22. ↩︎

  3. CV_2025_03_1: Critical Webserver Vulnerability. Retrieved 2025-05-22. ↩︎

  4. Best Practice Guide: Enhancing Security with Conditional Access and Sign-In Monitoring. Retrieved 2025-05-22. ↩︎

This post is licensed under CC BY 4.0 by the author.