CISA Alerts About Attacks on Commvault’s SaaS Environment: What You Need to Know

The cybersecurity landscape is constantly evolving, and so are the threats targeting organizations’ data and cloud infrastructures. Recently, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning regarding attacks targeting Commvault’s cloud-based backup and recovery platform, specifically its SaaS solution, Metallic, hosted on Microsoft Azure. The attacks involve threat actors attempting to exploit authentication credentials to gain unauthorized access to Microsoft 365 environments of a small number of customers. This incident highlights significant risks to organizations using SaaS applications like Commvault, and it underscores the importance of securing credentials in cloud environments.

the Situation

In May 2025, CISA alerted the public about a sophisticated campaign targeting organizations using Commvault’s Metallic service, which is hosted on Microsoft Azure. The attackers aimed at authentication credentials stored within Commvault’s platform to breach Microsoft 365 accounts. This series of attacks appears to be part of a broader threat campaign, where attackers exploit default configurations and overly permissive settings in cloud-based software-as-a-service (SaaS) solutions.

While the attackers did not access customers’ backup data, Commvault’s investigation revealed the exploit of a zero-day vulnerability (CVE-2025-3928) in its webserver, which allowed unauthorized access. After being alerted by Microsoft in March, Commvault patched the vulnerability and continuously updated its advisory in April and May, providing new threat intelligence. The updates also included preventive measures and steps that organizations could take to protect their environments, including rotating app credentials and monitoring Microsoft Entra logs for unauthorized activity.

The attacks are said to have involved sophisticated techniques, including attempts to access M365 environments, but no significant data breaches occurred. Commvault has since taken extensive steps to bolster security, such as enhancing key rotation and implementing stronger monitoring protocols. Despite this, the ongoing risk to SaaS applications remains high, especially as threat actors become more advanced.

What Undercode Says: Analyzing the Threat and its Impact

Commvault’s latest breach reveals the growing sophistication of cyberattacks on SaaS platforms, particularly those involving critical authentication credentials. The fact that attackers were able to exploit a zero-day vulnerability to gain access to a few customers’ M365 accounts is concerning. It suggests that the attackers may have had prior knowledge of security gaps in Commvault’s environment, possibly leveraging insider or reconnaissance-based intelligence. This raises questions about how well SaaS providers are securing their platforms from more targeted, state-sponsored attacks.

What’s also alarming is the fact that a significant percentage of SaaS applications are not well-managed, leaving them open to various forms of exploitation. According to Commvault’s advisory, 90% of SaaS applications are unmanaged, posing a substantial risk to enterprises. This statistic alone underscores the need for robust, enterprise-wide SaaS security strategies. Traditional security measures, like firewalls or antivirus software, often miss the mark in securing cloud-based platforms, which are inherently more vulnerable to sophisticated threats.

The incident also highlights a critical challenge in the cloud security landscape: identity and access management (IAM). While Commvault provided useful guidance on rotating credentials, reviewing audit logs, and applying conditional access policies, organizations need to rethink their IAM strategies. Tools like Microsoft Entra ID offer essential security features, but they require proper configuration and ongoing oversight to be effective. This breach could have been mitigated if tighter access controls and more robust authentication methods, like multi-factor authentication (MFA), had been implemented.

From a broader perspective, this attack is a wake-up call for organizations to invest in stronger SaaS security policies. In particular, the rise of zero-day vulnerabilities and the complexity of cloud environments require more than just reactive security measures. Organizations must proactively monitor and continuously update their cloud infrastructures to protect against evolving threats.

Fact Checker Results 📊

Zero-Day Vulnerability: Commvault patched CVE-2025-3928, which was exploited in the attack.
No Data Breach: The attackers did not access any customer backup data.
Enhanced Security Measures: Commvault implemented stronger key rotation and monitoring protocols.

Prediction: What Could Happen Next?

The growing sophistication of cyberattacks targeting SaaS platforms like Commvault’s Metallic will likely drive more organizations to adopt a “zero trust” security model. This will require businesses to rethink how they secure cloud-based applications, focusing more on identity verification, credential management, and constant monitoring for any signs of unauthorized access. Additionally, with the rise of nation-state actors targeting cloud environments, we can expect to see more partnerships between cybersecurity agencies, such as CISA, and private sector companies to strengthen cloud security protocols. As the threat landscape evolves, organizations will need to stay ahead of the curve with advanced security tools and strategies to protect against increasingly complex cyberattacks.