In early 2025, Commvault, a leading provider of data protection solutions, faced a significant cybersecurity incident when a nation-state actor exploited a zero-day vulnerability, CVE-2025-3928, within its Microsoft Azure environment. This breach, initially detected on February 20, 2025, prompted immediate action from Commvault's security team.

Incident Overview

The breach was identified following Microsoft's notification of unauthorized activity within Commvault's Azure infrastructure. Upon investigation, it was determined that the attackers had exploited CVE-2025-3928, a critical vulnerability in Commvault's Web Server component, allowing authenticated users to execute arbitrary code remotely. This exploitation enabled the deployment of web shells, granting attackers persistent access to the compromised systems. (documentation.commvault.com)

Impact Assessment

Despite the severity of the breach, Commvault confirmed that no unauthorized access occurred to customer backup data stored and protected by the company. The incident did not have a material impact on Commvault's business operations or its ability to deliver products and services. (commvault.com)

Mitigation Measures

In response to the breach, Commvault took several decisive actions:

  • Patch Deployment: The company released patches addressing CVE-2025-3928, urging all customers to update their systems promptly. (documentation.commvault.com)
  • Enhanced Security Protocols: Commvault implemented advanced security measures, including enhanced key rotation and strengthened monitoring rules, to bolster defenses against future threats. (commvault.com)
  • Collaboration with Authorities: The company coordinated with cybersecurity firms, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) to investigate the incident and share threat intelligence. (commvault.com)
Recommendations for Customers

To further enhance security, Commvault recommended the following actions for its customers:

  • Implement Conditional Access Policies: Apply Conditional Access policies to all Microsoft 365, Dynamics 365, and Azure AD single-tenant app registrations to restrict unauthorized access. (bleepingcomputer.com)
  • Regularly Rotate Credentials: Rotate and synchronize client secrets between the Azure portal and Commvault every 90 days to minimize the risk of credential-based attacks. (bleepingcomputer.com)
  • Monitor Sign-In Activity: Regularly monitor sign-in activity to detect any access attempts originating from IP addresses outside of the allowed ranges. (bleepingcomputer.com)
Conclusion

The Commvault Azure breach serves as a stark reminder of the evolving nature of cyber threats targeting cloud infrastructures. While the company acted swiftly to mitigate the impact and secure its environment, it underscores the necessity for organizations to maintain vigilant cybersecurity practices, including regular software updates, robust access controls, and continuous monitoring to safeguard sensitive data.

References