In a significant cybersecurity incident, Commvault, a leading provider of data protection and backup solutions, has confirmed that a nation-state threat actor exploited a zero-day vulnerability, CVE-2025-3928, within its Microsoft Azure environment. This breach underscores the evolving landscape of cyber threats targeting cloud infrastructures.

Background

On February 20, 2025, Microsoft alerted Commvault to unauthorized activity within its Azure environment. Upon investigation, Commvault identified that the threat actor had exploited CVE-2025-3928, a previously unknown vulnerability in their web server software. This flaw allowed the attacker to deploy webshells, providing persistent remote access to the affected systems. (commvault.com)

Technical Details

CVE-2025-3928 is a critical vulnerability with a CVSS score of 8.7, affecting multiple versions of Commvault's Web Server component. The flaw permitted authenticated, low-privilege users to execute arbitrary code remotely, potentially compromising the system. The affected versions include:

  • 11.20.0 to 11.20.216
  • 11.28.0 to 11.28.140
  • 11.32.0 to 11.32.88
  • 11.36.0 to 11.36.45

Commvault released patches addressing this vulnerability in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for both Windows and Linux platforms. (docs.commvault.com)

Impact and Response

The breach affected a small number of customers shared with Microsoft. Importantly, there was no unauthorized access to customer backup data stored and protected by Commvault, nor any material impact on the company's business operations or ability to deliver products and services. (commvault.com)

In response, Commvault activated its incident response plan, collaborating with leading cybersecurity firms and coordinating with authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). The company implemented enhanced security measures, such as improved key rotation protocols and strengthened monitoring rules. Additionally, Commvault shared best practices and indicators of compromise (IoCs) to assist organizations in detecting potential exploitation of CVE-2025-3928. (securityweek.com)

Recommendations for Organizations

To mitigate risks associated with CVE-2025-3928, organizations are advised to:

  1. Apply Conditional Access Policies: Implement strict access controls for all Microsoft 365, Dynamics 365, and Azure AD single-tenant app registrations.
  2. Rotate and Sync Client Secrets: Regularly update and synchronize client secrets between Azure and Commvault every 90 days.
  3. Monitor Sign-In Activity: Detect and block access attempts from IP addresses outside of approved ranges.
  4. Update Commvault Software: Ensure systems are running the latest patched versions to address known vulnerabilities.

By implementing these measures, organizations can enhance their security posture and reduce the risk of similar attacks.

Conclusion

The exploitation of CVE-2025-3928 in Commvault's Azure environment highlights the persistent threat posed by nation-state actors targeting cloud infrastructures. It emphasizes the necessity for organizations to maintain vigilant security practices, promptly apply security patches, and collaborate with cybersecurity experts and authorities to effectively respond to and mitigate such threats.